We Gettin’ Money, Bank Roll, Supersized: Digesting the 7th Circuit’s Data Breach Ruling

July 28, 2015

by Brent Tuttle, CIPP/US, E*

Recently, the 7th Circuit handed down a ruling in a data breach case that has class action plaintiffs’ attorneys poppin’ bottles. The case is Remijas v. Neiman Marcus Grp., LLC, No. 14-3122, 2015 WL 4394814 (7th Cir. July 20, 2015).

Background:

Between July 16, 2013 and October 13, 2013, malware found its way onto the Neiman Marcus computer systems. This potentially exposed 350,000 credit cards, 9,200 of which were known to have been used fraudulently. (The Court of Appeal noted that all 9,200 fraudulent charges were subsequently reimbursed.)

The company discovered this breach January 1, 2014 and publicly disclosed it nine days later. The company offered all customers who shopped at Neiman Marcus between January 2013 and January 2014 one year of free credit monitoring and identity theft protection.

This announcement prompted a number of class action suits spearheaded by four individual plaintiffs who represent 350,000 other customers whose credit card information may have been stolen; the disclosures indicated that social security numbers and other PII had not been exposed. The complaint relies on several theories: negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.

The company moved to dismiss the claim, arguing that the plaintiffs lacked Article III standing, a usually successful procedural tactic in data breach litigation. A litigant with standing to sue must have “suffered [a] concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Hollingsworth v. Perry, 133 S. Ct. 2652, 2661 (2013). Plaintiffs alleged injuries relating to lost time, money, and aggravation in dealing with the breach, as well as “an increased risk of future fraudulent charges and greater susceptibility to identity theft.” Neiman Marcus at 6. The case was dismissed by the district court, based on the 2013 Supreme Court case Clapper v. Amnesty Int’l USA, which held that allegations of possible future injury are not sufficient.

Seventh Circuit’s Decision:

On July 20, 2015, in a unanimous decision by a three–judge panel, the Seventh Circuit reversed the district court’s decision.  The Seventh Circuit stated “Clapper does not…foreclose any use whatsoever of future injuries.” In Clapper, the Supreme Court decided that Amnesty International did not have standing to challenge the Foreign Intelligence Surveillance Act (FISA) because they could not show that their communications were actually intercepted by the government, but only that such interceptions might have occurred. This was too speculative to establish standing.  However, Clapper left open what is known as the “substantial risk” standard, stating “[o]ur cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about. In some instances, we have found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Clapper, 133 S. Ct. at 1150 n.5 (2013). The Seventh Circuit ruled that the data breach plaintiffs alleged a sufficient substantial risk of harm.

The Seventh Circuit concluded that “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing because there is an ‘objectively reasonably likelihood’ that such an injury with occur.” Neiman Marcus at 9 (citing Clapper, 133 S. Ct. at 1147). Thus, the 350,000 Neiman Marcus customers whose information may have been stolen have standing to sue despite the fact that no real harm may ever come about. Or as Vietnam veteran Walter Sobchak might say, these plaintiffs may move forward based on “…what appears…to be a series of victimless crimes.”

Neiman Marcus represents a significant change in the tide for data breach litigation and as this is the first Court of Appeals to lower the bar for plaintiffs to gain standing, it may very well open up the floodgates elsewhere. This decision has the potential to send not just waves, but tsunamis, through the judicial system (at least within the Seventh Circuit). The ruling handed down in Neiman Marcus via “substantial risk” is distinct from past theories of injury previous courts have relied on dismissing data breach plaintiffs for lack of Article III standing. Past cases (some within the Seventh Circuit) had rejected the “clearly impending” theory of injury. See In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588, at *3 (N.D. Ill. Sept. 3, 2013) (holding “[m]erely alleging an increased risk of identity theft or fraud is insufficient to establish standing.”; see also Strautins v. Trustwave Holdings, Inc., No. 12-C-09115, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014); see also Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451, 468 (D.N.J. 2013).

However beyond the 7th Circuit, at least two cases in the Ninth Circuit have also afforded data breach plaintiffs standing through the substantial risk standard, one of which was cited in the Seventh Circuit’s opinion.  See In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014); see also In re: Sony Gaming Networks & Customer Data Sec. Breach Litig., No. 11-md-2258, 2014 WL 223677, at *9 (S.D. Cal. Jan. 21, 2014).

The Seventh Circuit’s justification upon which it placed the above reasoning is questionable. The court states “…it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” That is quite a presumption, is it not? How can anyone truly know the purpose behind a hack or data breach? There may be other purposes, such as causing fear itself, seeking to increase the costs of Neiman Marcus, or simply exploiting a security weakness because it is there.  On remand, would this be a rebuttable presumption relegated to the damages phase of a trial?

Further, one wonders if the facts of the Neiman Marcus case will be extrapolated:  Is there such presumption for the Sony breach? (Coincidentally a suit involving that breach has been allowed to move forward. See Corona v. Sony Pictures Entm’t, Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744 (C.D. Cal. June 15, 2015)). What about the Office of Personnel Management breach? Is it plausible to presume any intent or motive with that incident? The enemies of the U.S. government may have different motives from the enemies of Neiman Marcus.

How about the Ashley Madison hack that was in the headlines earlier last week? Adult Friend Finder earlier this summer? These breaches certainly don’t seem to fit within the Seventh Circuit’s reasoning above. Those may have been primarily targeting the businesses, not the customers.

Another consideration is that hackers might take haystacks of data in order to identify the desirable needles.  Can a court presume that a breach isn’t really targeting a needle as opposed to the entire haystack? And what sort of public policy does this promote by allowing the entire haystack a bite at the apple if it’s unknown whether they were ever actually harmed or the target thereof? The Seventh Circuit’s language in Neiman Marcus may just be a presumption, but it’s going to be an expensive presumption for data breach defendants to bear.

It is further problematic that the Seventh Circuit partially grounded its decision on the basis that “[i]t is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers whom it had contact information and who shopped at their stories between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.” Neiman Marcus at 11. It may be true that Neiman Marcus’s actions are unlikely a result of ephemeral risk. However, the Seventh Circuit ignored the fact that at least one state data breach law requires Neiman Marcus to pay for such services if offered (See Cal. Civ. Code § 1798.82(G)). Furthermore, many laws require that data breach notices provide the victim with information as to where they can obtain free credit reports (See VA. Code Ann. 18.2-186.6; see also Wash. Rev. Code § 42.56.590; see also W. Va. Code § 46A-2A-102.) It is a logical fallacy to conclude that Neiman Marcus’s actions, then, were related to an assessment of risk rather than statutory obligations.

There are other legitimate reasons, beyond risk, why Neiman Marcus would offer such services.  First, it makes for good public relations, to give the appearance their response is proactive.  Second, it typically renders moot the standard plaintiff’s claim that the breach forced them to purchase their own credit monitoring.  However, the Seventh Circuit has challenged that tactic as well.  On remand, the court not so subtly advises the district court to investigate how long stolen data puts consumers at risk (a question they will not find an answer to). It seems this will be used to assert whether the 350,000 potentially harmed customers will need credit monitoring services beyond the twelve months that Neiman Marcus has offered to pay for, something the Seventh Circuit says “easily qualifies as a concrete injury.”

It is troubling that the Seventh Circuit has utilized evidence that Neiman Marcus is taking measures to mitigate any further harm from the breach against them. Customarily, evidence of remedial measures is inadmissible to prove a breach of duty.  Although it may be admissible as proof of harm (or standing), the prejudice may outweigh the probative value.

In sum, there is a “substantial risk” that we’ll see a lot more class action data breach suits getting filed under this new theory. This should make for some interesting developments in the field data breach litigation as most plaintiffs have not previously been able to get around the Article III standing issue. However, it’s hard to say whether the ruling will have a positive net impact on privacy for consumers, or merely just benefit plaintiffs’ attorneys looking for a payday. Legislative changes are also likely to impact the data breach class action landscape.  Two things are almost certain to come out of the Neiman Marcus ruling: OPM is probably getting sued in the Seventh Circuit and it might be a good time to invest in Orville Redenbacher.

__________

*Brent Tuttle is a Summer Associate at Randazza Legal Group


A Federal Pure Bill of Discovery

July 21, 2015

by Jay Marshall Wolman

I read an interesting case over the weekend.  You may recall the case of Heleen Mees allegedly stalking Citigroup chief economist Willem Buiter.  She was charged with five misdemeanor counts after, it seems, an affair with the married Buiter didn’t pan out.  The charges were dropped as part of a deal.  However, the story doesn’t end there.

It seems that, following the criminal process, Ms. Mees intended to sue Mr. Buiter in the Netherlands for defamation.  She filed an application in Federal court in New York, pursuant to 28 U.S.C. § 1782, which allows a district court, “upon the application of any interested person,” to require a person (assuming personal jurisdiction) to “give his testimony or statement or to produce a document or other thing for use in a proceeding in a foreign or international tribunal.” The application was denied, so she appealed to the Second Circuit.

Last week, the Second Circuit issued its decision.  There are two key parts to its holding:

First, an applicant may satisfy the statute’s “for use” requirement even if the discovery she seeks is not necessary for her to succeed in the foreign proceeding. Second, the discovery need not be sought for the purpose of commencing a foreign proceeding in order to be “for use” in that proceeding.

Ms. Mees had not even begun litigation in the Netherlands and it was unclear whether she even needed what she sought to either plead her case or prove it.  Yet, the 2nd Circuit ruled that her application could proceed.  It was remanded to determine whether the discretionary factors under Intel Corp. v. Advanced Micro Devices, Inc., 542 U.S. 241, 259, 124 S.Ct. 2466, 159 L.Ed.2d 355 (2004) were met.  As set forth in that case, the factors are:

   First, when the person from whom discovery is sought is a participant in the foreign proceeding (as Intel is here), the need for §1782(a) aid generally is not as apparent as it ordinarily is when evidence is sought from a nonparticipant in the matter arising abroad. A foreign tribunal has jurisdiction over those appearing before it, and can itself order them to produce evidence….In contrast, nonparticipants in the foreign proceeding may be outside the foreign tribunal’s jurisdictional reach; hence, their evidence, available in the United States, may be unobtainable absent §1782(a) aid. …

   Second, …a court presented with a §1782(a) request may take into account the nature of the foreign tribunal, the character of the proceedings underway abroad, and the receptivity of the foreign government or the court or agency abroad to U. S. federal-court judicial assistance. …Further, the grounds Intel urged for categorical limitations on §1782(a)’s scope may be relevant in determining whether a discovery order should be granted in a particular case. …Specifically, a district court could consider whether the §1782(a) request conceals an attempt to circumvent foreign proof-gathering restrictions or other policies of a foreign country or the United States…. Also, unduly intrusive or burdensome requests may be rejected or trimmed. …[Internal citations omitted]

This case got me thinking.  Normally, to obtain discovery in a case, one must file a lawsuit against a defendant over whom the court has jurisdiction, engage in a Rule 26(F) conference with them, and then propound discovery.  One of the biggest obstacles is when you don’t know who the defendant is.  Take, for example, your standard bittorrent movie download, violating the studio’s copyright.  Let’s assume that actual infringement has occurred and that the studio has the right to pursue the claim.  All the investigation may turn up is the IP address used to download the movie.

One of the problems raised by the defendants is that an IP address, like a telephone number, only tells you the subscriber, not the infringer.  It is as if you only got the license plate number of the car that hit you, not the driver.  In the MVA context, you can frequently sue the driver under a theory of negligent entrustment or vicarious liability and ultimately learn the identity of the motorist.  Unfortunately, those theories might not be available in the copyright context, notwithstanding arguments to the contrary.  So, what is a content creator to do?  Suing the John Doe account holder might get the case thrown out when trying to obtain early discovery if the complaint does not allege facts to suggest John Doe is the infringer, rather than his roommate.

What is needed, then, is a pure bill of discovery.  Some states, such as Connecticut, permit the taking of discovery before commencing an action in its own state courts.  C.G.S. 52-156a.  Florida, though, appears to permit it more broadly.  However, both of those have limitations where the person with the information is either in a different state or if (in Connecticut’s case) the use is for an action in another court.

The Second Circuit effectively determined that a section 1782(a) application can work as a pure bill of discovery.  The caveat, of course, is that the rights holder must be able to contemplate an action against the infringer outside the United States.  Under the Berne Convention, it would seem generally cognizable, assuming a foreign infringer in a signatory country.  Bittorrent swarms not infrequently include actual foreign infringers and domestic infringers using foreign proxies.  Thus, a cognizable claim to pursue these infringers in a foreign court can be alleged; the scope of the discovery, however, need not be limited to them.  Under the Second Circuit’s ruling, the rights holder could pursue discovery from a domestic ISP to identify the account holder and then directly from the account holder to identify the swarm participant, so as to potentially call the participant as a witness in the foreign proceeding that the rights holder never actually has to file. [Of course, it is a good idea to actually file abroad, especially if there is a concern that the 1782(a) application was not filed in good faith.] And, once an actual domestic infringer is identified, there is nothing to preclude bringing a domestic copyright infringement action against that person.

Now to see if anyone thinks this could work.


Updates in Railroad Employee Liability Law

July 17, 2015

by Jay Marshall Wolman

In addition to my usual lawyerly activities, I am also a Vice Chair of the Workers’ Compensation and Employers’ Liability Law Committee of the American Bar Association’s Tort Trial and Insurance Practice Section.  Probably the longest line on my resume.

The Committee’s Spring 2015 Newsletter is out.  I contributed an article on updates on the Federal Employers Liability Act (FELA), 45 U.S.C. sec. 51, et seq.  In short, before general workers’ compensation laws existed, the U.S. Congress established a liability and compensation framework for railroad employees.  That framework continues to govern on-the-job injuries to railroad employees.

Cases continue to develop, both in state and federal courts.  The article highlights four recent developments:

  1. Expert medical opinions on differential etiology (diagnosing the cause of the injury) must meet Daubert requirements.  Shannon Brown v. Burlington Northern Santa Fe Railway Co., 765 F.3d 765 (7th Cir. 2014).
  2. Injured employees cannot recover prejudgment interest for the gap between the verdict and the issuance of the judgment.  Dennis Kinworthy v. Soo Line Railroad Co., 860 N.W. 2d 355 (Minn., Mar. 4, 2015).
  3. Questions of constructive knowledge of defects are Federal substantive questions, requiring that the defendant should have known at a time sufficiently before the incident to have taken preventative or ameliorative measures.  Andrew Spencer v. Norfolk Southern Railway Co., 450 S.W. 3d 507 (Tenn. 2014).
  4. Railways are permitted to introduce statistical evidence  relative to when the injured worker might otherwise have retired.  John Giza v. BNSF Railway Co., 843 N.W. 2d 713 (Iowa 2014).

I highly recommend the other articles, including:

  • A Committee Notice on a proposal dealing with Medicare set-asides in workers’ compensation claims;
  • An article by Matthew Schiff and Kathryn Nadro on how different states (Ohio, Pennsylvania, Louisiana, Illinois, New Jersey & California) handle PTSD and other psychological injuries arising from the .workplace.

If you have an interest in these or other workers’ compensation topics, check out the committee at http://www.ambar.org/tipsworkers .


Problems with Revenge Porn Laws

July 16, 2015

by Jay Marshall Wolman

Revenge porn is bad, and this blog has been active in fighting it.  As a moral matter, it is a pretty easy thing to address.  As a legal matter, it is not.

More and more states have been passing laws against revenge porn.  California, for example, in 2013, added Penal Code Section 647(j)(4),   The meat is in sub-subsection (A), which states:

Any person who intentionally distributes the image of the intimate body part or parts of another identifiable person, or an image of the person depicted engaged in an act of sexual intercourse, sodomy, oral copulation, sexual penetration, or an image of masturbation by the person depicted or in which the person depicted participates, under circumstances in which the persons agree or understand that the image shall remain private, the person distributing the image knows or should know that distribution of the image will cause serious emotional distress, and the person depicted suffers that distress.

There are three exemptions in sub-subsection (D):

  1. The distribution is made in the course of reporting an unlawful activity.
  2. The distribution is made in compliance with a subpoena or other court order for use in a legal proceeding.
  3. The distribution is made in the course of a lawful public proceeding.

California’s law is similar to the model law of the Cyber Civil Rights Initiative, spearheaded by Prof. Mary Anne Franks. A Federal bill is expected to be introduced soon, with Prof. Franks’s involvement.  Although of late I have had some concerns regarding Prof. Franks, we are likely on the same side of opposing revenge porn.

A similar Arizona law was recently put on hold for vagueness.  So, too, do the California and model laws suffer from practical problems, and it is probably the case that, if the Federal bill follows the model, it will be defective.  The problem is that there are many circumstances where it is entirely appropriate to share a picture or video of nudity or a sexual encounter, taken without consent, that does not fit among the exemptions, to wit:

  • A woman suspects her husband is cheating and rigs up a motion activated camera in the bedroom.  She records him in the act and shows her mother to get advice on what to do.  She decides to stay with him.  Two years later he files for divorce and the recording and the fact of sharing with the mother is revealed.  Since her distribution two years earlier was not “in the course” of a public proceeding, she has no defense.
  • A female employee has been harassed by a male supervisor.  On more than one occasion, he has exposed himself to her and started playing with himself.  She sets up a surreptitious recording on her cellphone and brings it to her union representative.  She doesn’t want to file a formal complaint, so the union representative helps her arrange for a transfer.  Notwithstanding the transfer, the harassment continues and she quits.  The supervisor hears through the grapevine that the recording and sharing with the representative was discussed at the unemployment hearing.  The distribution to the union representative was not a proper report of unlawful activity, so she has no defense.
  • An employer suspects employee theft and sets up hidden cameras.  Instead of theft, employee fraternization, violating company policy, is caught.  The supervisor shares the video with the human resources manager.  The employees are notified of the video during exit interviews.  Again, no exemptions apply.
  • A mother installs a nanny cam, suspicious of the new babysitter.  One day, it catches the babysitter with her girlfriend getting intimate while the child naps.  The mother shares it with the father, and the father mentions it while firing her.  No exemptions.
  • A couple decides to make an intimate video.  During the encounter, he gets too aggressive, beyond their normal activities.  She shares it with her therapist, who then mentions it in a later joint therapy session. No exemption applies.

Other scenarios exist as well.  Even sharing photographs of unclothed infants could be deemed unlawful.  In each scenario, there would be the expectation that the encounter, and therefore images thereof, should remain private. And, each of these scenarios might find the law unconstitutional as it prohibits parties from sharing information, the essence of free speech. In the ideal world, there would be no revenge porn, so it wouldn’t matter how well crafted the anti-revenge porn legislation was written.  These are all plausible scenarios based on how people act in reality.

None of these scenarios are the ones that revenge porn activists are addressing.  They are focusing on the run of the mill ex-lover who posts online nude photos or videos sent or taken (with knowledge or without) during the course of the relationship.  Unfortunately, sweeping legislation is frequently overbroad or ill-considered.


Professor Franks and the False Dichotomy

July 15, 2015

by Jay Marshall Wolman

Apparently, along with Eric Turkewitz, I have been blocked on Twitter by Mary Anne Franks.  A Rhodes Scholar and woman of letters, Dr. Franks has divined that I am not worthy of comment.  According to Dr. Franks, I am a “false rape truther“.  Presumably, she means to equate questions about false accusations with rape with those who question whether Al Qaeda was behind the attack of September 11, 2001, generally labelled “9/11 Truthers”.  Rather than engage in discussion, as one hopes a law school professor who takes to social media might expect, I have been banninated from her Twitter feed.  So much for academic discourse.

The primary thrust of this posting, however, is not to lament the inability of a law professor to engage in debate.  I agree that I am not “entitled” to her attention.  I do lament the lack of intellectual rigor in her discourse, and I am seeking to address that.

The initiating factor was her statement that the likelihood of a false rape accusation was “inifinitesimal”.  Dr. Franks wrote this in the context of a discussion on reddit that seems to have resulted in the recommendation that men wear body cameras to avoid false rape accusations.  It is an interesting proposal, given that the presidential frontrunner endorses police wearing body cameras, in order to ensure good evidence of what actually happened during an encounter (and, perhaps, to act as a deterrent).  Dr. Franks is concerned that this will lead to secret recordings and revenge porn.  She may not be incorrect on that point.  But it is a poor argument to then be dismissive of the underlying concern, false accusations of rape, as “infinitesimal”.  There is no question that such false accusations happen.  If Dr. Franks believes otherwise, then she is a False Rape Accusation Denialist.  When asked by Attorney Turkewitz to back up her claim that it is inifinitesimal, she cited to a Washington Post article.  As a Twitter follower of Attorney Turkewitz, I took note of the discussion and read the article.  According to one study in the Washington Post article, 41% of rape allegations were fabricated.  In another study referenced, 2-10% were fabricated.  Even acknowledging that there may be many actual rapes that go unreported, I was banninated for asking how many false accusations are too many.  Here is where Dr. Franks committed an egregious failure of logic.  She and I both agree that rape is very bad.  What she cannot seem to comprehend is that false accusations are also very bad.  For her, to be anti-rape you must also pretend that false accusations are not a problem.  It is not an either/or situation.  One should be both anti-rape and anti-false accusation.  In fact, false accusations hurt rape victims, for the false accusers harm the credibility of all accusers.  To protect rape victims, Dr. Franks should be working hard to prevent false accusations.

Men (and women) falsely accused or standing the risk of being falsely accused of rape rightly need to take steps to protect themselves.  The body camera idea is just one idea.  But rather than merely address the problems with the proposal, that perhaps other steps are required to ensure consent and privacy relative to the recordings, Dr. Franks opted to pretend that the problem is insignificant.  It is not, which is why it is big news when the UVA, Duke Lacrosse, or Tawana Brawley incidents are exposed.

Dr. Franks further seems to take issue with those who oppose voter fraud, somehow tying it to opposing false criminal accusations.  She also has a problem with raising concerns about benefit fraud.  I admit–fraud is bad.  Fraud in business is bad.  Fraud on the courts is bad.  Fraudulent accusations of criminal wrongdoing is bad.  And voter and benefit frauds are bad, no matter how infinitesimal.  In the last two, the entire polity is the victim of voter and benefit fraud.  Twice more, Dr. Franks sets up false dichotomies.  Disenfranchisement is bad, but so is counting votes of ineligible voters.  Poverty is bad, but so is improperly taking others’ tax dollars.  Again, these are not either/or situations.  One can impose voter ID while working to ensure that every eligible voter gets that ID.  One can audit benefit recipients while ensuring that those who are entitled get what is allotted.  We got country *and* western.

If Dr. Franks is going to lock herself in an ivory tower rather than engage in actual legal practice, she should use her time and Oxford education wisely:  come up with workable solutions rather than ignore problems.  Discuss and debate outside an echo chamber.


Is Use Discrimination Unlawful if Customers are Treated Equally?

July 10, 2015

By Jay Marshall Wolman 

There has been significant commentary in the blogosphere about a recent order out of Oregon allegedly imposing a gag order on a bakery that expressed an aversion to same sex weddings. I’ll leave the First Amendment analysis to Ken White at Popehat and Eugene Volokh as linked above. 

I’m a little more concerned with the order’s analysis of the discrimination claim itself. The Labor Commissioner did not undertake the traditional McDonnell Douglas test for discrimination. Now, this might not be an Oregon requirement, but there was no real analytical framework. This is usually important in determining if the acts were discriminatory. 

This case involved statements by the owners expressing an aversion to making cakes for same sex weddings. Let’s assume the easier case: an express policy against catering such weddings.  Is that unlawful? Why?

The statute prohibits announcing you will deny services “on account of …sexual orientation “.  ORS 659A.409. Technically, and it is unclear anyone argued this, no one is denied service on account of their orientation. Rather, the customers are denied service for the nature of the wedding. In most weddings, parents pay for the cake. This bakery would likely sell a cake to gay parents for their straight son’s wedding and refuse to sell to straight parents for their gay son’s wedding. No paying customers are denied on the basis of their orientation. The statute doesn’t address associational discrimination. Disparate treatment discrimination is not implicated and thus the bakery policy announcement of discrimination against same sex weddings, but not necessarily gay customers, would seem to be lawful. [Arguably, the conduct/person analysis of Elane Photography could suggest that it constitutes disparate treatment, but I believe that the conduct/person distinction is more suited to disparate impact analysis. The New Mexico Supreme Court in that case conflated Constitutional Equal Protection analysis with the statutory interpretation frameworks of disparate treatment and impact.]

The policy clearly has a disparate impact; there’s bound to be a spate of older gay couples now paying for their own weddings. However, the Commissioner did not address disparate impact theory, which may or may not be available under Oregon public accommodation law.  Thus, it may be the right outcome but for the wrong reasons. 


A Cost-Imposing Law that may Indirectly Save Millions

July 6, 2015

by Jay Marshall Wolman, CIPP/US

This past June, the Connecticut General Assembly enacted Public Law No. 15-142, ostensibly to improve data security in the state.  It follows on the heals of the Anthem Data Breach earlier this year.  The first major provision governs state contractors in receipt of confidential information received from the state.  The second major provision, addressed to Anthem and other health insurers, creates specific obligations to secure data under a regulatory scheme.  The third major provision addresses all other businesses.

Previously, reasonable notice of a data breach (release of certain unencrypted personal information) was required to be given.  A specific 90 day notice is now required.  More important is the remedy provision–in the event of a data breach, businesses (including health insurers), must implement identity theft prevention and/or mitigation services.  This also includes incidents where there is no actual proof of a data breach, only reasonable suspicion.  Normally, regulatory burdens such as these impose greater costs on the marketplace.  This may not be the case here.

Following Clapper v. Amnesty International, USA, most federal courts addressing standing (i.e. whether you can claim a right to sue) have found that the increased risk of injury from identity theft does not suffice to have been sufficiently injured to confer standing.  Novel theories to avoid this claim have included the costs of identity theft protection services incurred by breach victims.  This theory has been rejected at the trial court level.  See, e.g. In Re: Barnes & Noble Pin Pad Litigation.

Many companies experiencing a data breach automatically, for public relations reasons, offer identity theft protection services.  Thus, the formal obligation under law would not likely add significant cost.  And, assuming cases like the Barnes & Noble one were reversed on appeal, the claimants would no longer suffer the costs of such services, since the companies are now required (at least in Connecticut) to provide those identity theft services.  The practical effect will be that more consumer data theft class actions will likely be won on the defense of lack of subject matter jurisdiction (how a defense of lack of standing is brought).  With dismissal, there would be no settlement and no claim for millions of dollars in attorneys’ fees.  As a result, companies experiencing a breach (and their cyber insurers) would potentially save millions by doing what they already do, merely because the services are now required.

Of course, if increased regulation with a de jure cost burden has a de facto cost savings due to costs imposed by the court system, it may be time to take a closer look there as well.


Follow

Get every new post delivered to your Inbox.

Join 3,766 other followers