Emerging Class Action Threat: Consumer g g Personal Identification - - PowerPoint PPT Presentation

Presenting a live 90‐minute webinar with interactive Q&A

Emerging Class Action Threat: Consumer g g Personal Identification Data Violations

Strategies to Minimize Litigation Risks and Maximize Insurance Coverage

T d ’ f l f

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific THURS DAY, MAY 26, 2011

Today’s faculty features: Donna L. Wilson, Partner, Buckley Sandler, S anta Monica, Calif. Patrick N. Keegan, Member, Keegan Baker, Carlsbad, Calif. Linda D. Kornfeld, Partner, Jenner & Block, Los Angeles

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Conference Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the + sign next to “ Conference Materials” in the middle of the left-

hand column on your screen hand column on your screen.

• Click on the tab labeled “ Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

Continuing Education Credits

FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• Close the notification box
• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the blue icon beside the box to send

Tips for Optimal Quality

S d Q lit S

• und Quality

If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-869-6667 and enter your PIN when prompted Otherwise please send us a chat or e mail when prompted. Otherwise, please send us a chat or e-mail sound@ straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Qualit y

To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again press the F11 key again.

Emerging Class Action Threat: Consumer Personal Identification Data Violations: Strategies

Legal Counsel to the Financial Services Industry

to Minimize Litigation Risks and Maximize

Financial Services Industry

Insurance Coverage

D L Wil Donna L. Wilson

May 26, 2010 May 26, 2010

THE PRESENTERS

• Donna L Wilson of BuckleySandler LLP
• Donna L. Wilson of BuckleySandler LLP

with the defense perspective dwilson@buckleysandler com dwilson@buckleysandler.com (424) 203-1010

• Patrick N. Keegan of Keegan & Baker, LLP

ith th l i tiff ti with the plaintiff perspective pkeegan@keeganbaker.com (858) 558 9400

6

(858) 558-9400

ABOUT DONNA L. WILSON

Donna L. Wilson is a partner in the Los Angeles office of BuckleySandler LLP, where she leads the Firm’s West Coast litigation practice. Ms. Wilson represents all forms of traditional and non-traditional financial services providers, including banks, mortgage companies, national retailers, franchisors, telecommunications and media companies, in a variety of privacy and information security, fair credit and state unfair and deceptive trade practice matters. In addition, Ms. Wilson assists corporate and individual policyholders in obtaining coverage in disputes ranging from individual directors/officers f f f f for defense costs, claims for coverage for alleged privacy and data breaches, as well as defense and liability costs for mass torts such as lead pigment and asbestos. Regardless

• f the context, Ms. Wilson’s unique experience litigating on behalf of plaintiffs -- including

class action and corporate plaintiffs – leads to a non-linear litigation approach that offers efficiency and creativity.

• Ms. Wilson writes and lectures extensively on class action litigation, privacy and data

breach issues, and insurance coverage. P i t j i i B kl S dl M Wil th h i f th C Fi i l Prior to joining BuckleySandler, Ms. Wilson was the co-chair of the Consumer Financial Services group at Kelley Drye & Warren LLP, and a litigator in its Privacy and Data Security Group. She also was a founding partner of that firm’s Insurance Recovery Group.

7

ABOUT PATRICK N. KEEGAN

Patrick Keegan, the co-founder and managing partner of Keegan & Baker, LLP, has worked on numerous class actions in which he acted as lead or co-lead counsel on behalf of a plaintiff class resulting in significant p g g

• recoveries. He has specialized in complex commercial litigation, including securities, antitrust and consumer

fraud litigation, and has successfully handled numerous complex commercial litigation matters. For example, Mr. Keegan was retained as post-trial defense counsel several days after a jury verdict was rendered against our client in the amount of approximately $24 million dollars (an $18 million dollar jury award and an attorneys fees motion for approximately $6 million dollars which we were successfully able to avoid) and an attorneys fees motion for approximately $6 million dollars, which we were successfully able to avoid). The award in that matter, entitled FF Orthotics Corp, Inc., et al. v. Good Feet, et al., Case No. GIC 791494, California Superior Court, San Diego County, (Judge Fredric Link) was grounded in antitrust violations, franchise law violations and unfair business practices violations. By virtue of the post trial work and the subsequent settlement negotiations (which included 11 plaintiffs), we were able to reduce the judgment to $4.25 million, paid over time, which allowed the individual defendants/shareholders to retain ownership of the defendant corporations and ultimately remove the defendant corporations from receivership. The defendant p y p p entities are currently again selling franchises nationwide and are in the process of expanding globally.

• Mr. Keegan has also acted as co-class counsel and co-trial counsel, in a class action entitled Jason A. Park v.

Cytodyne Technologies, Inc., Case No. GIC 768364, California Superior Court, San Diego County, (Judge Ronald L. Styn), asserting false advertising claims under the Unfair Competition Laws (Ca Business and Professions Code Sections 17200 and 17500) and the Consumer Legal Remedies Act (Ca Code Civil Section Professions Code Sections 17200 and 17500) and the Consumer Legal Remedies Act (Ca. Code Civil Section 1750), brought a successful motion for class certification and obtained a judgment of $12,536,820.00 in restitution and additional prohibitive injunctive relief on behalf of the certified class after a 7 week trial in 2003.

• Mr. Keegan has also represented numerous parties in arbitrations before the National Association of Securities

Dealers and American Arbitration Association.

8

THE SONG-BEVERLY CREDIT CARD ACT CARD ACT

• Cal Civ Code § 1747 08:
• Cal. Civ. Code § 1747.08:

– What is the purpose?

What does it forbid?

– What does it forbid? – What is “personal identification information”? – Civil penalties up to $1 000 per violation: No – Civil penalties up to $1,000 per violation: No

aggregate cap

– Exceptions

p

• Bona fide error
• Others

9

EVOLUTION OF SONG-BEVERLY

• Enacted in 1971

Enacted in 1971

• Prior to 1991: only prohibited requiring

cardholder to provide personal identification cardholder to provide personal identification information as a condition to accepting a credit card credit card

– Did not forbid requesting personal information from a

credit card user, and the user voluntarily providing the information

10

EVOLUTION OF SONG-BEVERLY (cont ) (cont.)

• 1991 amendment: added language

1991 amendment: added language prohibiting requesting consumer personal information “as a condition to” accepting the p g credit card as payment for goods or services

– Amendment designed to “clean up” and “clarify” the

g p y statute, not exponentially expand its reach

– Purpose was to clarify that persons “may neither

require nor request as a condition to accepting the require nor request, as a condition to accepting the credit card, the taking or recording of personal identification information from the cardholder”

11

EVOLUTION OF SONG-BEVERLY (cont ) (cont.)

• Threshold issue: Does Song-Beverly apply to mere

g y pp y requests for information, even where the consumer is told that the information is not required?

The “misplaced” comma:

– The misplaced comma:

• Plaintiffs contend that the 1991 amendment expanded scope
• f liability by prohibiting the requiring of information “as a

condition to accepting the credit card” AND any and all condition to accepting the credit card AND any and all requests for personal identification information from cardholders

– Florez v. Linens n’ Things, 108 Cal. App. 4th 447 (2003) – But see the Florez court’s note that nothing prevents a retailer from soliciting a customer’s address and telephone number for a store’s mailing list, if that information is provided voluntarily

12

EVOLUTION OF SONG-BEVERLY (cont ) (cont.)

• Plaintiff’s view is contrary to:

– Legislative history – First Amendment rights to free speech and free association – Statutory interpretation Statutory interpretation

• Absher v. AutoZone, Inc., 164 Cal. App. 4th 332 (2008)
• TJX Companies, Inc. v. Sup. Ct., 163 Cal. App. 4th 8 (2008)
• Notably other state statutes prohibit requests for personal
• Notably, other state statutes prohibit requests for personal

information only as a condition to credit card transactions. For example:

DC Code § 47 3153 – DC Code § 47-3153 – 11 Del. Code § 914 – Minn. Stat. Ann. § 325F.982

13

CERTAIN KEY DECISIONS UNDER SONG-BEVERLY UNDER SONG-BEVERLY

• No right to jury trial (Shabaz v. Polo Ralph Lauren Corp.,

g j y ( p p , 586 F. Supp. 2d 1205 (C.D. Cal. 2008))

• No private right of action for injunctive relief (Korn
• v. Polo Ralph Lauren Corp., 644 F. Supp. 2d 1212

(E.D. Cal. 2008))

Range of penalty could span between “the proverbial

• Range of penalty could span between the proverbial

peppercorn” to the maximum amounts authorized by the statute (TJX Companies)

• One year statute of limitations (TJX Companies)
• Does not apply to return or Internet transactions

14

IS A ZIP CODE PII?

• Party City Corp. v. Sup. Ct., 169 Cal. App. 4th 497

Party City Corp. v. Sup. Ct., 169 Cal. App. 4th 497 (2008):

– ZIP code is “group identifier about location,” not

“ li d i di id l id tifi ti i f ti ithi “personalized or individual identification information within the statutory terms”

• Pineda v. Williams-Sonoma Stores, Inc., 178 Cal. App.

, , pp 4th 714 (2009): Followed Party City

– ZIP code is not personal identification information within

th i f § 1747 08(b) h it i t d the meaning of § 1747.08(b) even where it is requested for the purpose of reverse data mining to obtain customer’s address

15

IS A ZIP CODE PII? (cont.)

• Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th

Pineda v. Williams Sonoma Stores, Inc., 51 Cal. 4th 524 (2011):

– A Zip code constitutes PII and, thus, “requesting and

di dh ld ’ ZIP d ith t i l t ” recording a cardholder’s ZIP code, without more, violates” § 1747.08

– § 1747.08 is remedial, and should be liberally construed

y

– A ZIP code is similar to specified types of PII in §

1747.08(b) (telephone and address) Is unnecessary to sales transaction

– Is unnecessary to sales transaction – Construction of §1747.08 is retroactive

16

THE EXPLOSION OF CLASS ACTIONS AFTER PINEDA ACTIONS AFTER PINEDA

Well over 100 cases filed in California courts since Pineda alleging § 1747 08 violations based on ZIP code alleging § 1747.08 violations based on ZIP code requests, including actions against:

• Alin Party Supply Co.

Anna’s Linens

• Crate & Barrel

Destination Maternity

• Lamps Plus

Lenscrafters

• Pier 1 Imports

Pottery Barn

• Tesoro

Thrifty Oil

• Anna s Linens
• Anthropologie
• Avenue
• Bath and Body Works
• Bed Bath & Beyond
• Destination Maternity
• The Dressbarn
• Estee Lauder
• Eurostar
• ExxonMobil
• Lenscrafters
• Lids/Hat Zone
• Lowe’s
• Macy’s
• Maidenform
• Pottery Barn
• Radio Shack
• REI
• Redbox
• Restoration Hardware
• Thrifty Oil
• Tiffany and Company
• T.J. Maxx
• Toys “R” Us/Babies “R” Us
• Trader Joe’s

y

• Bedrock Oil
• Best Buy
• Big 5 Sporting Goods
• Big Lots Stores
• Fry’s Electronics
• GNC
• Genesco
• Home Depot
• Marshalls
• Michaels Stores
• Nike
• Nordstrom
• Ross Stores
• Sephora
• Shell
• Sport Chalet
• Urban Outfitters
• Victoria’s Secret
• Vons
• Wal-Mart
• Body Shop
• Brookstone
• Chevron
• Coach

C l H h

• Homegoods
• IKEA
• J.C. Penney Co.
• Journey

K t

• Oakley
• Office Depot
• Officemax
• Old Navy

P t A i /P t Cit

• Sunglass Hut
• Sur La Table
• Target
• The Children’s Place

Th C t i St

• Whole Foods Market
• Williams-Sonoma
• West Elm
• Wolverine Worldwide

17

• Cole Hahn
• ConocoPhillips
• Cost Plus
• Kmart
• Kohl’s
• Lacoste
• Party American/Party City
• Paypal
• Pearle Vision
• The Container Store
• The Gap
• The Pepboys

AFTER PINEDA

• New actions extend beyond traditional

New actions extend beyond traditional person-to-person transactions:

– “Pay at the Pump” Machines

Pay at the Pump Machines

• Flores v. Chevron Corp. et al.
• Dulce v. Bedrock Oil, Inc. et al.

Self Service Kiosks

– Self-Service Kiosks

• Schiff v. Redbox Automated Retail LLC

18

AFTER PINEDA (cont.)

• What about use of Zip codes for anti-fraud

purposes?

– Potential legislative limitation on Pineda:

• AB 1219 is intended to amend § 1747 08 to “recognize
• AB 1219 is intended to amend § 1747.08 to recognize . . .

legitimate business practices designed to address the increased potential for identity theft that results if the cardholder is not present or if the credit card does not cardholder is not present or if the credit card does not function correctly”

• Would expand the exclusions enumerated in § 1747.08(c) to

include when information is used “solely for prevention of include when information is used solely for prevention of fraud, theft, or identity theft”

19

WHAT’S NEXT?

• Does Section 1747.08 apply to e-mail addresses?

– See Meherens v. Redbox Automated Retail, LLC., No.

BC455418 (Sup. Ct. Los Angeles) (alleging defendant “requested and/or required Plaintiff to provide his ZIP code and e-mail address . . . .”)

• How about to on-line transactions?

– Boorstein v. Paypal, Inc. and Boorstein v. Amazon.com, Inc.

(using Pineda to argue § 1747.08 applies to online transactions if the retailer requests information “unnecessary to the sales if the retailer requests information unnecessary to the sales transaction” that, alone or together with other data (e.g., cardholder’s name or credit card number) can be used for the retailer’s business purposes) B t S li S t C 596 F S 2d 1323 (C D

– But see Saulic v. Symantec Corp., 596 F. Supp. 2d 1323 (C.D.

• Cal. 2009) (holding that because, like a refund transaction, an

“online transaction raises fraud concerns,” online transactions are not encompassed within §1747.08)

20

WHAT’S NEXT? (cont.)

• Has Pineda created a colorable claim that reverse data

mining and similar practices alone constitute an invasion of privacy outside of the Song-Beverly context?

• Does a phone look up during a transaction constitute a
• Does a phone look up during a transaction constitute a

violation of § 1747.08?

• How should a retailer proceed with respect to a loyalty or

disco nt program? discount program?

• What is a transaction and when does it begin and end?
• What can a retailer do to achieve its business objectives and

j minimize its compliance and litigation risks?

21

C P l ID D t Vi l ti Consumer Personal ID Data Violations: Class Action Threats—Insurance Considerations

May 26, 2011 Linda Kornfeld Jenner & Block lkornfeld@jenner.com (213) 239-5176

WHICH POLICIES MAY APPLY?

• Critical first step: collect and review potentially

p p y applicable policies

– General Liability Errors & Omissions Coverage – Errors & Omissions Coverage – Directors & Officers Liability Directors & Officers Liability

23

24

24

CGL Policies: Is There a Potential For C ? Coverage?

• Most courts that have dealt with coverage for use,

collection or distribution of “personal information” have done so in FACTA context under CGL policies.

• Is the “personal injury” or “advertising injury”

coverage potentially triggered? g p y gg

25

What is Covered? What is Covered?

• “Oral or written publication, in any manner, of

material that violates a person’s right of privacy.”

• Does the claim involve some form of “publication”?
• Does the claim involve a “privacy” violation?

26

“Publication”? Publication ?

• What is required to constitute “publication”?

Some form of public dissemination? – Some form of public dissemination? – Term not defined in many policies. – “in any manner” language allows for broad interpretation—courts have concluded that credit card p receipts provided only to customers constituted “publication.”

27

Violation of a “Right of Privacy”? Violation of a Right of Privacy ?

• “Privacy” often is not defined in CGL policies

“Where an insurance policy does not define privacy”

• Where an insurance policy does not define privacy

policy can be broadly interpreted “to include aspects

• f privacy protected by

privacy statutes ”

• f privacy protected by…privacy statutes.

– Song Beverly intended to protect “privacy” interests – In FACTA context “privacy” requirement satisfied even though customer voluntarily provided information. g y p

28

Song Beverly Claims Should “Trigger” Coverage

• Prima facie, coverage should be triggered

“Publication” by making customer ZIP code information – Publication by making customer ZIP code information available both internally and potentially to other businesses. – Such “publications” allegedly violate customer “privacy interests ” interests. – Many complaints include an express cause of action for invasion of privacy invasion of privacy

29

CGL POLICY EXCLUSIONS

“Statutory” Exclusions Statutory Exclusions

• Typically exclude “Personal Injury… arising directly
• r indirectly out of any action or omission that

violates or is alleged to violate: …any statue,

• rdinance or regulation…that prohibits or limits the

sending transmitting comm nicating or distrib tion sending, transmitting, communicating or distribution

• f material or information.”
• Insurers assert as a broad-based excuse to avoid

coverage

31

Statutory Exclusion Con’t Statutory Exclusion, Con t

• Carefully read the underlying complaint

What if it solely alleges that you “requested and – What if it solely alleges that you requested and recorded” customer’s zip code information? – Does that constitute “sending, transmitting communicating or distributing”? – What if in addition to alleged statutory violations the complaint also contains a common law privacy claims?

32

“Knowing” Infliction of Personal or Ad ti i I j E l i Advertising Injury Exclusion

• Excludes “personal and advertising injury” “arising
• ut of an offense committed by . . . the insured with

the expectation of inflicting personal and advertising injury.”

• Requires a fact-based analysis.
• What level of “expectation” or “intent” is sufficient?
• Argue against impact on payment of defense fees

Argue against impact on payment of defense fees.

33

Amounts Spent for “Excluded” Claims Amounts Spent for Excluded Claims

• What happens to the duty to defend when the

complaint includes both covered and excluded claims? What if multiple lawsuits are filed and some include covered claims and others do not?

• If some claims or complaints are covered and

money spent to address allegedly “excluded” claims y p g y “benefits” covered claims, you may have coverage for all defense fees expended in all actions.

34

Errors & Omissions Coverage Errors & Omissions Coverage

• Policyholders should also review E&O policies

– Cover “claims” for allegations of “professional” misconduct – Must act within “professional” capacity as defined by policy p y – Some cover “damages arising from violation of ‘privacy laws” laws

35

What constitutes a “claim”? What constitutes a claim ?

• Need a demand for “something,” often money.

Lawsuit clearly meets the standard

• Lawsuit clearly meets the standard.

36

Duty to “advance” defense fees Duty to advance defense fees

• “Potentiality” standard

“Prior to final adjudication” the “timing” question

• Prior to final adjudication —the timing question

37

“Penalty” Exclusions Penalty Exclusions

• Some E&O policies exclude “fines” or “penalties.”

p p

• Review underlying complaint: does it also seek “damages”?

Attorney’s fees? Pre or post judgment interest? Attorney s fees? Pre or post judgment interest?

• What is the true nature of the claimed “fine” or “penalty”?
• Argue that, in privacy context, statutory damages are not a

“penalty,” but rather a recognition that damage caused by privacy violation is difficult to calculate. Therefore, legislature uses statutory damages to act as a proxy.

38

Directors & Officers Coverage Directors & Officers Coverage

• Covers certain claims for “wrongful acts, errors or
• missions” by company and its executives
• If executives are claimed to have known that there

was an issue before Pineda court ruled and did not was an issue before Pineda court ruled and did not modify behavior, coverage may apply

• If executives are not sued, policy must have “entity

coverage” that applies beyond “securities” claims

39

• In light of Pineda and other

lawsuits is there potential lawsuits, is there potential exposure requiring notice?

• Do prior policies have less

restrictive exclusions?

40

Conclusion Conclusion

• Carefully read complaints

Carefully read all policies

• Carefully read all policies
• Perform policy audits at time of renewal and attempt

p y p to negotiate to increase protection

41