The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

No Private Right Of Action Under TCPA For Technical Violations Of Fax Labeling Requirements

There is no private cause of action under the Telephone Consumer Protection Act (TCPA) for technical violations of the statute in failing to clearly display the date, time and identification of the sender. Culbreath v. Golding Enterprises, L.L.C., No. 05AP-1230, 872 N.E.2d 284 (Ohio Sept. 5, 2007). The appeals court affirmed the lower court’s dismissal of the plaintiff’s remaining TCPA and state consumer protection law claims. The court concluded that while the TCPA provides a private right of action for the receipt of an unsolicited fax, the statute does not provide a private right of action to individuals for a fax sender’s violations of the technical labeling requirements. The court also ruled that under the Ohio consumer protection statute, only individuals, not corporations, have standing to bring suit for receiving an unsolicited fax that is not shown to be unfair or deceptive.

Leave a comment

Attorney fee awarded to prevailing defendant justified in CAN-SPAM case, under “evenhanded” approach.

The "evenhanded" approach, which treats prevailing plaintiffs and prevailing defendants equally, should be used in determining whether the prevailing defendant in a CAN-SPAM Act case is entitled to an award of attorney fees. Gordon v. Virtumundo, Inc., No. 06-0204, 2007 U.S. Dist. LEXIS 55941 (W.D. Wash. Aug. 1, 2007). The court granted the defendant’s motion for attorney fees, concluding that the more stringent test applied in civil rights cases, which is more favorable to plaintiffs, should not be applied in CAN-SPAM cases. The court examined the purpose of the CAN-SPAM Act, concluding among other things that Congress’s "twin purposes of protecting consumers and imposing a regulatory structure on businesses with which they reasonably can comply lend themselves well" to a test that treats plaintiffs and defendants equally in the determination of attorney fee awards. In determining that an award to the prevailing defendant was appropriate in this case, the court referenced the plaintiffs’ institution of numerous similar CAN-SPAM action in the same district, commenting that "it is obvious that Plaintiffs are testing their luck at making their ‘spam business’ extraordinarily lucrative by seeking statutory damages through a strategy of spam collection and serial litigation."

Leave a comment

Bare allegations of emotional harm from release of personal data do not support finding of actual damages under Federal Privacy Act

Cursory descriptions of alleged emotional harm stemming from the Government’s release of personal financial information do not support a finding of "actual damages" under the federal Privacy Act. Rice v. United States, No. 00-2960, 2007 U.S. Dist. LEXIS 62507 (D. D.C. Aug. 27, 2007). The court granted the Government’s motion for summary judgment dismissing the plaintiffs’ claims, concluding that the plaintiffs failed to raise a question of material fact as to whether they could prove actual damages at trial. Without conclusively deciding whether non-pecuniary harm could qualify as actual damages as a matter of law, the court found that the plaintiffs’ failed to produce any evidence to corroborate their bare allegations and failed to allege their emotional injuries produced any physical manifestation requiring medical treatment.

Leave a comment

Authorized Computer Access By Employee Not CFAA Violation, Despite Intent To Misuse Information

A departing employee, who copied client files while still having full access to his employer’s computers, did not "exceed authorized access" under the Computer Fraud and Abuse Act (CFAA), despite the defendant’s improper use of the files and alleged breach of company policy.  Brett Senior & Assoc. v. Fitzgerald, No.06-1412, 2007 U.S. Dist. LEXIS 50833 (E.D. Pa. July 13, 2007). The court granted summary judgment to the defendant on the CFAA and related state claims, but let stand the breach of fiduciary duty claim for the plaintiff’s telephone solicitation of clients while he was still in the plaintiff’s employ. The court found that the defendant could not be liable under the CFAA because there was no allegation that the defendant lacked authority or "exceeded authorized access" to view any information in the plaintiff’s computer system. The court rejected the plaintiff’s argument, based upon the Seventh Circuit opinion in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir 2006), that an employee exceeds his authorized access when he obtains company information for an allegedly improper purpose.



Leave a comment

Allegation that payment processing software installed “spyware” states claim under federal and New Jersey Computer Fraud Statutes

An allegation that payment processing software installed unauthorized "spyware" on the purchaser’s server that diverted confidential customer data to the software developer makes out a claim under the federal and New Jersey computer fraud statutes. Slim CD, Inc. v. Heartland Payment Systems, Inc., No. 3:06cv2256, 2007 U.S. Dist. LEXIS 62536 (D. N.J. Aug. 24, 2007). The district court declined to dismiss the software purchaser’s claims under the New Jersey statute, rejecting the developer’s argument that the statute required a showing of how the developer had used the diverted information for its own benefit. The court also ruled that the purchaser had properly alleged damages in excess of $5,000 within one year under the federal computer fraud statute.

Leave a comment

Cost of credit monitoring following data security breach not a cognizable injury in fact.

In a negligence and breach of contract action alleging unauthorized access to personal information as the result of a data security breach, the cost of credit monitoring is not a cognizable injury in fact under Indiana law. Pisciotta v. Old National Bancorp, No. 05-668, 2007 U.S. App. LEXIS 20068 (7th Cir. Aug. 23, 2007). The appeals court affirmed the lower court’s dismissal of the putative class action against a financial services provider, ruling that in the absence of any specific evidence of identity theft resulting from the security breach, the plaintiffs suffered merely the anticipation of future injury. The court followed the general rule that an alleged increase of future injury is not a cognizable injury that can form the basis of a successful negligence claim. The court also commented that Indiana’s data notification law, which outlines narrow disclosure duties and provides only for state enforcement actions, strongly suggests that Indiana law would not recognize the costs of credit monitoring as compensable damages.

Leave a comment

In Federal Court TCPA Action, Availability Of Class Action Governed By State Law

In an action under the Telephone Consumer Protection Act (TCPA) removed to federal court under the court’s diversity of citizenship jurisdiction, the question of whether the action may be maintained as a class action is a substantive issue to be decided under the law of the forum state. Giovanniello v. The New York Law Publishing Co., No. 07-1990, 2007 U.S. Dist. LEXIS 56694 (S.D.N.Y. Aug. 6, 2007). The district court granted the defendant’s motion to dismiss the plaintiff’s putative class action, because under New York C.P.L.R. §901(b), a case brought to recover statutory penalties may not be maintained as a class action. The court noted that in enacting the TCPA, Congress intended to incorporate state law limits on private causes of action under the Act. Applying the Erie doctrine, the court concluded that state law limits on class actions are substantive rather than procedural rules, and thus the class action could not be maintained. Because the plaintiff’s individual claim was less than the $75,000 amount required for diversity jurisdiction, the court dismissed the case in its entirety.

The court noted that plaintiff Giovanniello, an attorney, and his current counsel, have been involved in several cases seeking class action relief under the TCPA, e.g. Giovanniello v. Carolina Wholesale Office Machines Co., Inc., 2007 U.S. Dist. LEXIS 60671 (S.D.N.Y. Aug. 20, 2007) (TCPA class action dismissed as moot because individual claim resolved and class certification denied in identical state court action). Note, however, other states may permit class actions under the TCPA. See American Home Services v. A Fast Sign Co., Inc., 2007 Ga. App. LEXIS 906 (Ga. Ct. App. Aug. 9, 2007) (Georgia appellate court affirmed the lower court’s ruling certifying TCPA class action, rejecting the defendant’s claim that the proposed class failed the commonality requirement based upon "the hypothetical existence of persons in the class against whom it could assert the existing business relationship exception").