Lanham Act doesn’t get you around the First Amendment

October 2, 2015

RLG just got a summary judgment order in Tobinick v. Novella. In that case, we first got an Anti-SLAPP order against a California plaintiff who filed a SLAPP suit in Florida (perhaps hoping that Florida’s courts wouldn’t realize that a CA plaintiff can’t run away from his anti SLAPP law). (Order here)

However, the Plaintiff maintained that our client’s articles on a medical practice were actually “commercial speech.” Court slapped that down today. (Order here)

Since there is a little more to do in the case, I’m not going to comment further. But, the Order should go in any First Amendment lawyer’s files — because this isn’t the first time I’ve seen a plaintiff try and get creative with the Lanham Act in free speech cases.

And I’m certain it won’t be the last.


September 24, 2015

The Federal Trade Commission has come after the lovely Roca Labs, Don Juravin, and George C. Whiting.  Complaint here.

Entire docket here.

Denali Ain’t Just a River in Egypt

August 31, 2015

by Jay Marshall Wolman, CIPP/US

I hate to admit it, but I first learned the term “Denali” when reading the Twilight series.  My wife and I had taken a vacation to the Pacific Northwest and visited the Olympic peninsula.  Edward and Bella references were everywhere, and we had no clue what it was all about.  So, I read the books.  And I have a problem with leaving a series unfinished (I’m looking at you George R.R. Martin).

This past Friday, with formal announcement yesterday, the Secretary of the Interior renamed Mt. McKinley, “Denali”.  Apparently, we have something called a U.S. Board on Geographic Names that was asked in 1975 to rename the mountain. It is authorized to establish uniform name conventions.  43 U.S.C. sec. 364, et seq.   The whole park was already called Denali, but the mountain itself was left unchanged.  Because the question was pending perennially before Congress, in a perpetual battle between Alaskans (Republicans and Democrats), who wanted it renamed and Ohioans, who wanted it to remain named for their native son (born in Niles, Ohio), the Board deferred action.  The Secretary declared that with 40 years of inaction, he had the authority to do it himself; I will assume he does.

In looking at the law, I was first taken by the odd language, that the Board, with the Secretary,  gets to resolve questions regarding the “standard name”.  See, 43 USC 364b.  I figured it already had a standard name, promulgated when the park was created in 1917.  But, 64.Pub.L. 253 only establishes the Mt McKinley National Park and did not name the mountain itself.  Since the park was redesignated in 1980 as the Denali National Park ( Alaska National Interest Lands Conservation Act Dec. 2, 1980, P.L. 96-487, Title II, § 202(3)(a), 94 Stat. 2382), it does seem that the name of the mountain itself was non-standard.

Chalk this one up to things that you didn’t know Congress had delegated to the executive branch.

Ashley Madison and Standing

August 21, 2015

by Jay Marshall Wolman, CIPP/US

Recently, this blog has published posts on a new Connecticut law and a 7th Circuit ruling on data breach, both of address the issue of standing in class action data breach suits.  Standing, in plain terms, means having a legal right to sue based on an injury to you.  The Sierra Club may have standing to sue for environmental damages because its members are specifically harmed; even if many of those members also belonged to Susan Boyle Fans International, Inc., the fan club would not have standing because the organization as a whole is not harmed.

Actual harm is key.  In many data breach cases, it is hard to show actual harm; identity theft may very well not occur and free credit monitoring eliminates the direct consumer cost.  Thus, a lot of litigation has focused on the right to sue in the event of a data breach.

Now, we have the Ashley Madison hack and data dump.  Ashley Madison, as you may know, is a matchmaking service for adultery.  Unlike prior breaches, the hackers are not merely keeping the information to themselves, but they are releasing information that identifies people, including public figures and federal employees.  Divorces will occur because of the data dump.  This is not a case of “maybe someone will open a credit card in my name”; it is a case of “I have to pay alimony and child support for the foreseeable future”.  Data breach victims now have tangible harm.

Class action attorneys will still litigate questions of typicality and commonality, for not every victim will suffer the same harm.  But class certification is likely, even in such instances.  In the Black Farmers Case, the class was certified even where different class members had widely varying economic losses as a result of allegations of discrimination in USDA loan programs.  The question in this matter will not be whether to certify, then, but rather how to establish class member damages.  Although this is probably the least sympathetic data breach class, it will be one of the best cases.

I should also note that liability seems pretty decent.  In the Neiman Marcus case, the plaintiffs alleged:

negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of several state data breach acts.

That case lacked something this case does–an express guarantee.  Take a look:

100% Secure?  Nope.  Completely Anonymous?  Negative.  Their privacy policy states:

We treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII, we use industry standard practices and technologies including but not limited to “firewalls”, encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.

That just seems to be another broken promise.  Section I of their Terms and Conditions states:

Privacy & Use of Information

Use of the Service is also governed by our Privacy Policy. You agree that by registering a Profile or using our Service you have agreed to our Privacy Statement. You acknowledge that although we strive to maintain the necessary safeguards to protect your personal data, we cannot ensure the security or privacy of information you provide through the Internet and your email messages.  Our privacy policy is incorporated into the Terms by this reference.  You agree to release us, our parent, subsidiaries and affiliated entities and ours and their shareholders, officers, directors, employees and agents, successors and assigns from all claims, demands, damages, losses, liabilities of every kind, know and unknown, direct and contingent, disclosed and undisclosed, arising out of or in any way related to the release or use of such information by third parties.  If you are a California resident, you waive California Civil Code Section 1542, which says: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which, if known by him must have materially affected his settlement with the debtor.”

This is a pretty weak effort at a release and may well not be enforceable.  Of course, the Terms and Conditions does have a choice of law provision, New York, which is pretty strong in their favor.  It also has a mandatory arbitration clause, though there is a class action waiver and a damages cap of $5,000.  I expect significant litigation over the enforceability of these terms.

Knowing Employee Legal Rights

August 12, 2015

by Jay Marshall Wolman, CIPP/US

Shameless self-promotion: Today, I had the privilege of presenting “Knowing Employee Legal Rights” to a Cornell Alumni Leadership Lunch and Learn along with Prof. David Sherwyn.

Video is here:

Downloadable slideshow here:


We Gettin’ Money, Bank Roll, Supersized: Digesting the 7th Circuit’s Data Breach Ruling

July 28, 2015

by Brent Tuttle, CIPP/US, E*

Recently, the 7th Circuit handed down a ruling in a data breach case that has class action plaintiffs’ attorneys poppin’ bottles. The case is Remijas v. Neiman Marcus Grp., LLC, No. 14-3122, 2015 WL 4394814 (7th Cir. July 20, 2015).


Between July 16, 2013 and October 13, 2013, malware found its way onto the Neiman Marcus computer systems. This potentially exposed 350,000 credit cards, 9,200 of which were known to have been used fraudulently. (The Court of Appeal noted that all 9,200 fraudulent charges were subsequently reimbursed.)

The company discovered this breach January 1, 2014 and publicly disclosed it nine days later. The company offered all customers who shopped at Neiman Marcus between January 2013 and January 2014 one year of free credit monitoring and identity theft protection.

This announcement prompted a number of class action suits spearheaded by four individual plaintiffs who represent 350,000 other customers whose credit card information may have been stolen; the disclosures indicated that social security numbers and other PII had not been exposed. The complaint relies on several theories: negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.

The company moved to dismiss the claim, arguing that the plaintiffs lacked Article III standing, a usually successful procedural tactic in data breach litigation. A litigant with standing to sue must have “suffered [a] concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Hollingsworth v. Perry, 133 S. Ct. 2652, 2661 (2013). Plaintiffs alleged injuries relating to lost time, money, and aggravation in dealing with the breach, as well as “an increased risk of future fraudulent charges and greater susceptibility to identity theft.” Neiman Marcus at 6. The case was dismissed by the district court, based on the 2013 Supreme Court case Clapper v. Amnesty Int’l USA, which held that allegations of possible future injury are not sufficient.

Seventh Circuit’s Decision:

On July 20, 2015, in a unanimous decision by a three–judge panel, the Seventh Circuit reversed the district court’s decision.  The Seventh Circuit stated “Clapper does not…foreclose any use whatsoever of future injuries.” In Clapper, the Supreme Court decided that Amnesty International did not have standing to challenge the Foreign Intelligence Surveillance Act (FISA) because they could not show that their communications were actually intercepted by the government, but only that such interceptions might have occurred. This was too speculative to establish standing.  However, Clapper left open what is known as the “substantial risk” standard, stating “[o]ur cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about. In some instances, we have found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Clapper, 133 S. Ct. at 1150 n.5 (2013). The Seventh Circuit ruled that the data breach plaintiffs alleged a sufficient substantial risk of harm.

The Seventh Circuit concluded that “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing because there is an ‘objectively reasonably likelihood’ that such an injury with occur.” Neiman Marcus at 9 (citing Clapper, 133 S. Ct. at 1147). Thus, the 350,000 Neiman Marcus customers whose information may have been stolen have standing to sue despite the fact that no real harm may ever come about. Or as Vietnam veteran Walter Sobchak might say, these plaintiffs may move forward based on “…what appears…to be a series of victimless crimes.”

Neiman Marcus represents a significant change in the tide for data breach litigation and as this is the first Court of Appeals to lower the bar for plaintiffs to gain standing, it may very well open up the floodgates elsewhere. This decision has the potential to send not just waves, but tsunamis, through the judicial system (at least within the Seventh Circuit). The ruling handed down in Neiman Marcus via “substantial risk” is distinct from past theories of injury previous courts have relied on dismissing data breach plaintiffs for lack of Article III standing. Past cases (some within the Seventh Circuit) had rejected the “clearly impending” theory of injury. See In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588, at *3 (N.D. Ill. Sept. 3, 2013) (holding “[m]erely alleging an increased risk of identity theft or fraud is insufficient to establish standing.”; see also Strautins v. Trustwave Holdings, Inc., No. 12-C-09115, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014); see also Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451, 468 (D.N.J. 2013).

However beyond the 7th Circuit, at least two cases in the Ninth Circuit have also afforded data breach plaintiffs standing through the substantial risk standard, one of which was cited in the Seventh Circuit’s opinion.  See In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014); see also In re: Sony Gaming Networks & Customer Data Sec. Breach Litig., No. 11-md-2258, 2014 WL 223677, at *9 (S.D. Cal. Jan. 21, 2014).

The Seventh Circuit’s justification upon which it placed the above reasoning is questionable. The court states “…it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” That is quite a presumption, is it not? How can anyone truly know the purpose behind a hack or data breach? There may be other purposes, such as causing fear itself, seeking to increase the costs of Neiman Marcus, or simply exploiting a security weakness because it is there.  On remand, would this be a rebuttable presumption relegated to the damages phase of a trial?

Further, one wonders if the facts of the Neiman Marcus case will be extrapolated:  Is there such presumption for the Sony breach? (Coincidentally a suit involving that breach has been allowed to move forward. See Corona v. Sony Pictures Entm’t, Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744 (C.D. Cal. June 15, 2015)). What about the Office of Personnel Management breach? Is it plausible to presume any intent or motive with that incident? The enemies of the U.S. government may have different motives from the enemies of Neiman Marcus.

How about the Ashley Madison hack that was in the headlines earlier last week? Adult Friend Finder earlier this summer? These breaches certainly don’t seem to fit within the Seventh Circuit’s reasoning above. Those may have been primarily targeting the businesses, not the customers.

Another consideration is that hackers might take haystacks of data in order to identify the desirable needles.  Can a court presume that a breach isn’t really targeting a needle as opposed to the entire haystack? And what sort of public policy does this promote by allowing the entire haystack a bite at the apple if it’s unknown whether they were ever actually harmed or the target thereof? The Seventh Circuit’s language in Neiman Marcus may just be a presumption, but it’s going to be an expensive presumption for data breach defendants to bear.

It is further problematic that the Seventh Circuit partially grounded its decision on the basis that “[i]t is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers whom it had contact information and who shopped at their stories between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.” Neiman Marcus at 11. It may be true that Neiman Marcus’s actions are unlikely a result of ephemeral risk. However, the Seventh Circuit ignored the fact that at least one state data breach law requires Neiman Marcus to pay for such services if offered (See Cal. Civ. Code § 1798.82(G)). Furthermore, many laws require that data breach notices provide the victim with information as to where they can obtain free credit reports (See VA. Code Ann. 18.2-186.6; see also Wash. Rev. Code § 42.56.590; see also W. Va. Code § 46A-2A-102.) It is a logical fallacy to conclude that Neiman Marcus’s actions, then, were related to an assessment of risk rather than statutory obligations.

There are other legitimate reasons, beyond risk, why Neiman Marcus would offer such services.  First, it makes for good public relations, to give the appearance their response is proactive.  Second, it typically renders moot the standard plaintiff’s claim that the breach forced them to purchase their own credit monitoring.  However, the Seventh Circuit has challenged that tactic as well.  On remand, the court not so subtly advises the district court to investigate how long stolen data puts consumers at risk (a question they will not find an answer to). It seems this will be used to assert whether the 350,000 potentially harmed customers will need credit monitoring services beyond the twelve months that Neiman Marcus has offered to pay for, something the Seventh Circuit says “easily qualifies as a concrete injury.”

It is troubling that the Seventh Circuit has utilized evidence that Neiman Marcus is taking measures to mitigate any further harm from the breach against them. Customarily, evidence of remedial measures is inadmissible to prove a breach of duty.  Although it may be admissible as proof of harm (or standing), the prejudice may outweigh the probative value.

In sum, there is a “substantial risk” that we’ll see a lot more class action data breach suits getting filed under this new theory. This should make for some interesting developments in the field data breach litigation as most plaintiffs have not previously been able to get around the Article III standing issue. However, it’s hard to say whether the ruling will have a positive net impact on privacy for consumers, or merely just benefit plaintiffs’ attorneys looking for a payday. Legislative changes are also likely to impact the data breach class action landscape.  Two things are almost certain to come out of the Neiman Marcus ruling: OPM is probably getting sued in the Seventh Circuit and it might be a good time to invest in Orville Redenbacher.


*Brent Tuttle is a Summer Associate at Randazza Legal Group

Updates in Railroad Employee Liability Law

July 17, 2015

by Jay Marshall Wolman

In addition to my usual lawyerly activities, I am also a Vice Chair of the Workers’ Compensation and Employers’ Liability Law Committee of the American Bar Association’s Tort Trial and Insurance Practice Section.  Probably the longest line on my resume.

The Committee’s Spring 2015 Newsletter is out.  I contributed an article on updates on the Federal Employers Liability Act (FELA), 45 U.S.C. sec. 51, et seq.  In short, before general workers’ compensation laws existed, the U.S. Congress established a liability and compensation framework for railroad employees.  That framework continues to govern on-the-job injuries to railroad employees.

Cases continue to develop, both in state and federal courts.  The article highlights four recent developments:

  1. Expert medical opinions on differential etiology (diagnosing the cause of the injury) must meet Daubert requirements.  Shannon Brown v. Burlington Northern Santa Fe Railway Co., 765 F.3d 765 (7th Cir. 2014).
  2. Injured employees cannot recover prejudgment interest for the gap between the verdict and the issuance of the judgment.  Dennis Kinworthy v. Soo Line Railroad Co., 860 N.W. 2d 355 (Minn., Mar. 4, 2015).
  3. Questions of constructive knowledge of defects are Federal substantive questions, requiring that the defendant should have known at a time sufficiently before the incident to have taken preventative or ameliorative measures.  Andrew Spencer v. Norfolk Southern Railway Co., 450 S.W. 3d 507 (Tenn. 2014).
  4. Railways are permitted to introduce statistical evidence  relative to when the injured worker might otherwise have retired.  John Giza v. BNSF Railway Co., 843 N.W. 2d 713 (Iowa 2014).

I highly recommend the other articles, including:

  • A Committee Notice on a proposal dealing with Medicare set-asides in workers’ compensation claims;
  • An article by Matthew Schiff and Kathryn Nadro on how different states (Ohio, Pennsylvania, Louisiana, Illinois, New Jersey & California) handle PTSD and other psychological injuries arising from the .workplace.

If you have an interest in these or other workers’ compensation topics, check out the committee at .


Get every new post delivered to your Inbox.

Join 3,808 other followers