« Griping Blogger Protected by Fair Use But Not Section 230--Ascend Health v. Wells | Main | N.Y. Yankees Block Clothing Manufacturer's "Baseball's Evil Empire" Trademark Registration (Catch-Up Post) »
March 22, 2013
Another Credit Card Breach Lawsuit Fails – Willingham v. Global Payments
[Post by Venkat Balasubramani]
Willingham v. Global Payments, Inc., 12-CV-01157 (N.D. Ga. Feb 5, 2013) (case later dismissed by the parties)
This is a data breach lawsuit arising out of an incident in which credit card information was purloined from a payment processor. Global Payments, the defendant in the lawsuit, handled transaction processing for merchants. Two plaintiffs sued on their own behalf and on behalf of a putative class. Willingham alleged she noticed fraudulent charges made using her card totaling approximately $1,000. The Hieslers, the other named plaintiffs, made similar allegations. The plaintiffs did not allege whether they were able to get their credit card company to reverse the charge. Plaintiffs assert a variety of state and federal law claims. The court dismisses them all.
Standing: The court engages in a long but ultimately academic discussion on standing. The court says that injury-in-fact requires out-of-pocket loss, and even an unauthorized charge is not necessarily enough:
To sufficiently allege that identity theft actually occurred, a plaintiff must, allege more than fraudulent charges which were removed . . . some further factual allegation, such as that Plaintiff was not reimbursed for those charges or that she incurred fees or other expenses or financial consequences [is required] . . . .
If there is no injury-in-fact, plaintiff may find standing based on future harm only if it is “imminent.” The court says that plaintiffs’ allegations fall short, and also that they are speculative because they depend on the actions of a third party. (The court expresses disagreement with other cases that have held that the risk of future harm is sufficient for standing.) The court also says that plaintiffs’ personal information does not have “inherent monetary value.” (citing to the Facebook privacy litigation and RockYou)
After all this, the court says that it’s preferable to resolve the dispute on the merits than dismiss on the basis of standing.
Stored Communications Act: Plaintiffs argued that Global Payments violated the Stored Communications Act because it knowingly divulged plaintiffs’ credit card information to third parties, by having in place lax authority and allowing hackers to access it. The court debates the issue of whether Global Payments falls under the statute’s definitions of providing an electronic communications service or a remote computing service. Regardless of how this issue shakes out, the court says that Global Payments does not provide a service “to the public” (it deals with merchants). More importantly, it did not “knowingly” divulge any information. At best, it failed to take appropriate steps to safeguard the data, but this does not amount to “knowing” disclosure.
Fair Credit Reporting Act: Plaintiff also alleged that Global Payments willfully and negligently violated the FCRA by failing to implement reasonable security procedures to maintain the confidentiality of plaintiffs’ information. The court rejects this claim as well, saying that under the FCRA, liability in this context only attaches where the covered entity improperly “furnishes” a consumer report to third parties. Here, the court says, Global Payments did not “furnish” the information to anyone.
Georgia Unfair Trade Practices Act: Plaintiffs argued that Global Payments misrepresented the level of security provided and engaged in a deceptive trade practice. The court says that plaintiffs fail to allege reliance on any misrepresentations and failed to allege damages sufficient to support injunctive relief. Plaintiffs also argued that the are entitled to injunctive relief because defendant “farmed out” its obligation to provide adequate security to third parties. Plaintiffs tried to rely on the data breach notification provisions in further support of this argument, but the court says this doesn’t necessarily require notification when an entity delegates its obligations; and in any event, the obligation only applies to the information of residents of the state.
Negligence: A big problem with the negligence claim is that there’s no relationship between Global Papyments and plaintiffs (they are not direct customers). Thus, the court says there is no duty. Plaintiffs tried to rely on the “voluntary undertaking doctrine,” but the court says that the lack of bodily injury or physical harm renders this unavailable. Plaintiffs’ negligence claim was also barred by the economic loss doctrine which limits a party to contractual remedies (where there is a contract) and only allows negligence claims for certain exemplary damages or conduct.
Contract: Plaintiffs’ contract claims fail because they are not third party beneficiaries to the agreements between Global Payments and the merchants. The court also says that there’s no basis for an implied contract—any broad statements that Global Payments would safeguard the underlying data are insufficient to form an implied contract.
Plaintiffs are having a tougher and tougher time in data breach cases. Courts seem to require the allegations of out-of-pocket loss to be unequivocal, and here, the court says that even the allegation of an errant charge is insufficient, absent an accompanying allegation that they were not reimbursed or charged back. A stray case or two seemed to offer a glimmer of hope to these types of plaintiffs, but cases rejecting claims keep piling up. If you can't cobble together a claim when your credit card information has been compromised, I wouldn't be very optimistic, in general, as a data breach plaintiff.
Data breach notification laws also do not seem to offer much help to plaintiffs. Granted, plaintiffs only presented their claims under the data breach statute obliquely, in order to support their unfair competition claims, but I can’t think of many cases where consumers were able to recover damages based on an entity’s alleged failure to provide timely notice or otherwise comply with a notification statute.
Federal statutes similarly do not offer much help. From the beginning, early data breach plaintiffs have tried many different variations of federal privacy statutes, but none have really stuck. I thought plaintiffs were creative here with their invocation of the FCRA, but the court rejects this as well.
Although the results in these cases may make sense, courts do engage in some doctrinal contortion to get there. As such, appellate relief is possible. (Again, while a few cases have offered slight rays of sunshine to these types of plaintiffs, none have truly opened the door.)
Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation
Class Action Against Path Over Cellphone Address Book Access Keeps Going
Judge Koh Whittles Down iPhone App Privacy Lawsuit
Data Breach Claim Survives Based on Allegation of Misuse of Personal Information -- Burrows v. Purchasing Power
Sony Network Data Breach Class Action Suffers Setback -- In re Sony Gaming Network
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data -- Reilly v. Ceridian
First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing--Katz v Pershing
New Essay: The Irony of Privacy Class Action Lawsuits
Another Data Loss Case Tossed on Article III Grounds--Whitaker v. Health Net
Reidentification Theory Doesn't Save Privacy Lawsuit--Steinberg v. CVS Caremark
Men's Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute -- Boorstein v. Men’s Journal
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]
[image credit: Sutterstock/budiadiliansyah: a programmer work at night to be a cracker]