CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Commercial Litigation/Directors & Officers’ Category

Cyber Insurance and the COVID-19 Pandemic

Posted on: March 5th, 2021

By: Matthew Jones

In light of the Covid-19 pandemic, various professions have changed their policies on working remotely. When the initial lockdown and quarantine process began, some companies were forced to begin working remotely to stay afloat. And even now when certain states begin to “re-open”, companies are allowing their employees to continue working remotely. However, some companies may not have the proper technology and security features to prevent cyber-attacks, which have increased significantly during the pandemic. In addition to that, some companies do not have the proper insurance in place to compensate for damages due to a cyber-attack. Although cyber insurance is occasionally bundled into existing property or liability insurance policies, that is not always the case.  Sometimes, those policies fail to explicitly include or exclude cyber-attacks, thereby leaving insurers at a great risk of loss. 

The legal profession is one industry that has seen an increase in cyber-attacks given the utilization of remote depositions and court appearances via Zoom and similar platforms. Even though these capabilities existed years prior to the pandemic, they have become much more commonplace in today’s business. But with their continued use comes vulnerability and additional claims. One way to counteract these claims is for insurers to require certain types of technology and/or security features within businesses as a prerequisite to cyber insurance, or draft policies so they explicitly state whether there is coverage to avoid additional costs of litigation. No matter how this issue is dealt with, it will likely lead to an increase in litigation as the technology world continues to evolve.

For more information, please contact Matthew Jones at [email protected].

Eleventh Circuit Denies Article III Standing Based on Future Harm from Data Breach

Posted on: February 26th, 2021

By: Matt Foree

The United States Court of Appeals for the Eleventh Circuit recently held that future harm from a data breach does not provide Article III standing to a plaintiff. By doing so, the Eleventh Circuit weighed in on the ongoing debate among the circuit courts. The case is Tsao v. Captiva MVP Rest. Partners, LLC, which can be found here

In Tsao, the plaintiff raised claims individually and on behalf of a class against a restaurant following a data breach that exposed the restaurant’s customers’ personal financial information. The case dealt with the concept of Article III standing, which concerns a person’s ability to file suit in federal court. Under Article III of the Constitution, the jurisdiction of a federal court is limited to cases and controversies. To satisfy the case or controversy requirement, a plaintiff must have standing to sue. For a plaintiff to have standing, he must have suffered an injury in fact, that is fairly traceable to the challenged conduct of the defendant, and that is likely to be redressed by a favorable judicial decision. 

The plaintiff in Tsao did not allege injury based on misuse of personal information or based on identity theft occurring as a result of the data breach. Instead, he raised two general theories of standing. First, he argued that he could suffer future injury from misuse of the personal information disclosed during the cyber-attack, even though he had not yet, and that this risk of misuse alone was enough to satisfy the standing requirement. Then he argued that he has already suffered some concrete, particularized mitigation injuries including lost time, lost rewards points, and loss of access to accounts, that are sufficient to confer standing.

As part of its analysis, the Eleventh Circuit considered recent case law and distilled two legal principles relevant to the plaintiff’s claims. First, it determined that a plaintiff alleging a threat of harm does not have Article III standing unless the hypothetical harm alleged is either certainly impending or there is a substantial risk of such harm. Second, if the hypothetical harm alleged is not certainly impending or if there is not a substantial risk of the harm, a plaintiff cannot conjure standing by inflicting some direct harm on himself to mitigate a perceived risk. 

With these principles in mind, the Eleventh Circuit began by considering plaintiff’s theory that he had Article III standing because he faced a substantial risk of identity theft, fraud, and other harm in the future as a result of the data breach. The Eleventh Circuit considered the opinions of its sister circuits, which are divided. It recognized that on the one hand, the Sixth, Seventh, Ninth, and D.C. Circuits have all recognized at the pleading stage that a plaintiff can establish injury in fact based on the increased risk of identity theft. On the other hand, it recognized that the Second, Third, Fourth, and Eighth Circuits have declined to find standing on that theory.

After considering the decisions of its sister circuits, the Eleventh Circuit determined that plaintiff did not meet his burden to show that there was a substantial risk of harm or that such harm is certainly impending. As part of its decision, it underscored three key considerations. First, it recognized that it recently held that conclusory allegations of an elevated risk of identity theft are not enough to confer standing. Second, it held that the plaintiff only offered vague, conclusory allegations that members of the class suffered a debt and actual misuse of their personal data, i.e., unauthorized charges, but conclusory allegations of injury were not enough to confer standing. Finally, plaintiff canceled his credit cards following disclosure of the breach, effectively eliminating the risk of credit card fraud in the future. Therefore, the Eleventh Circuit determined that evidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing, such that it follows that plaintiff did not have standing based on an increased risk of identity theft.

The Eleventh Circuit then turned to plaintiff’s claim that he suffered actual, present injuries in his efforts to mitigate the risk of identity theft caused by the data breach. It determined that it is well established that plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending. It determined that the mitigation costs plaintiff alleged are inextricably tied to his perception of the actual risk of identity theft following the data breach. Therefore, it found that plaintiff could not conjure standing by inflicting injuries on himself to avoid an insubstantial, non-eminent risk of identity theft. 

In sum, the Eleventh Circuit held that plaintiff lacked Article III standing because he could not demonstrate a substantial risk of future identity theft or that identity theft is certainly impending and also because he could not manufacture standing by in current cost and anticipation of non-eminent harm.  By doing so, the court upheld the dismissal of plaintiff’s claims.  Importantly, this decision contributes to the disagreement among the circuit courts as to whether future harm resulting from a data breach can form the basis of a lawsuit in federal court.

If you have questions or would like more information, please contact Matt Foree at [email protected].

Supreme Court Hears TCPA Case on Autodialer Definition

Posted on: January 22nd, 2021

By: Matthew Foree

The Supreme Court of the United States recently heard an important Telephone Consumer Protection Act (“TCPA”) case concerning the statutory definition of “automatic telephone dialing system” (“ATDS”). Whether a person used an ATDS can be a basis for liability and severe penalties. We previously reported on this matter here. The oral argument audio is available here and a transcript of the hearing is available here.

The argument centered around the definition of ATDS, which has created confusion among the courts, resulting in a patchwork of inconsistent decisions throughout the country. ATDS is defined in the statute as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” The Supreme Court is considering whether the definition of ATDS in the TCPA encompasses any device that can store and automatically dial telephone numbers, even if the device does not use a random or sequential number generator.  

The argument necessarily involved statutory interpretation and the rules of grammatical construction. Facebook argued, among other things, that the statute should be read according to its text, including that the phrase “telephone numbers to be called, using a random or sequential number generator” applies to both verbs, “store” or “produce.” This argument raises the difficult concept that something can be “stored” using a “random or sequential number generator.” Facebook argued that a contrary reading covers any device that can store and dial numbers without the use of a “random or sequential number generator.” This raised the idea that a smartphone could be considered an autodialer. 

Interestingly, given the grammatical nature of the dispute, Bryan Garner, of legal writing fame, argued for Duguid. He began by underscoring the Congressional purpose of privacy in enacting the TCPA. He also argued that rules of grammar permit a reading of the statute where the phrase “telephone numbers to be called, using a random or sequential number generator” can apply to only the verb “produce,” which precedes the phrase, and not the verb “store.” He argued that Facebook’s interpretation reads the statute “into oblivion,” with the impact being the unwanted proliferation of robocalls.

So, to over-simplify, on one side we have an argument that could promote the proliferation of robocalls and on the other one that could drastically reduce them. The hearing underscored the continuing confusion surrounding the ATDS definition. In 1991, when the statute was enacted, cellular telephones were in their infancy (and the size of bricks) and text messages did not exist as they do today. The parties and the Justices struggled with fitting today’s technology into the statutory language and some seemed to consider other ways to get around the problem. Perhaps the most interesting example was Justice Thomas asking why a text message is considered a call under the TCPA at all.

This confusion has driven the split among the U.S. Circuit Courts of Appeal, which have interpreted the statutory language inconsistently. Some courts, like the Eleventh Circuit, interpret the language literally with a restricted approach, while others have expanded the definition.  Most notably, the U.S. Court of Appeals for the  Ninth Circuit in Marks v. Crunch San DiegoLLC concluded that the “statutory definition of ATDS is not limited to devices with the capacity to call numbers produced by a ‘random or sequential number generator,’ but also includes devices with the capacity to dial stored numbers automatically.”    

Practitioners and their clients are eagerly awaiting the Court’s decision on this matter so that it can be put to rest, hopefully.  A ruling is expected by summer of 2021.    

For more information, please contact Matt Foree at [email protected].

Supreme Court to Hear TCPA Case on Autodialer Definition

Posted on: August 18th, 2020

By: Matthew Foree

The Supreme Court of the United States recently announced that it will consider an important Telephone Consumer Protection Act (“TCPA”) case concerning the problematic statutory definition of “automatic telephone dialing system” (“ATDS”). Information about the case, Facebook, Inc. v. Duguid, can be found here.

As we have reported several times before, the determination as to what constitutes an ATDS has created significant confusion, resulting in a patchwork of inconsistent decisions throughout the country. The definition in the statute, which dates to 1991, provides that an ATDS is “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” Among other things, the TCPA prohibits using an ATDS to make calls to a cellular telephone without the consent of the called party. Therefore, whether an ATDS was used in making calls can be determinative of liability. In the Facebook case, the Supreme Court will consider the specific issue of whether the definition of ATDS in the TCPA encompasses any device that can store and automatically dial telephone numbers, even if the device does not use a random or sequential number generator.

The U.S. Circuit Courts of Appeal have interpreted the statutory language inconsistently. Some courts, like the Eleventh Circuit, interpret the language literally with a restricted approach, while others have expanded the definition. For example, in Marks v. Crunch San Diego, LLC, the U.S. Court of Appeals for the Ninth Circuit concluded that the “statutory definition of ATDS is not limited to devices with the capacity to call numbers produced by a ‘random or sequential number generator,’ but also includes devices with the capacity to dial stored numbers automatically.” Accordingly, the court read the statute to provide that ATDS means “equipment which has the capacity—(1) to store numbers to be called or (2) to produce numbers to be called, using a random or sequential number generator—and to dial such numbers.” Interestingly, since the Supreme Court granted certiorari, the Sixth Circuit has joined the Ninth Circuit in its interpretation of this language in the Allan v. Pennsylvania Higher Education Assistance Agency case.

Thankfully, this issue will finally be resolved by the Supreme Court’s decision in this matter. Practitioners and their clients are eagerly awaiting the Court’s decision to clarify the definition of ATDS. Facebook’s brief is due to be filed with the Supreme Court by September 4, 2020, and Respondent’s briefing is due on October 16, 2020.  A ruling is expected by the summer of 2021. In the meantime, many U.S. District Courts are granting motions to stay pending the resolution of this important decision.

If you have any questions or would like more information, please contact Matt Foree at [email protected].

Statute of Limitations Tolled in California Amid Pandemic

Posted on: August 3rd, 2020

By: Matthew Jones

In response to the COVID-19 pandemic, California’s Governor Gavin Newsom issued a “state of emergency” for the entire State. In response, the California Judicial Council adopted several Emergency Rules to implement during the pandemic. In particular, Rule 9 states that all statute of limitations for civil causes of action are tolled from April 6, 2020 until 90 days after the state of emergency related to COVID-19 is lifted by the Governor. Therefore, if a party’s claim would have expired pursuant to the applicable statute of limitations during this timeframe, such claims are still very much alive. In regard to those claims, there is currently no deadline to file them since the “state of emergency” has yet to be lifted by the Governor. Once lifted, claimants will have six months to file their respective claims.

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients.  Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments.  For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER:  The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19.  The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement.  We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG.  An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such.  We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**