Attorney Phil Yannella was part of the “Regulatory Updates: Recent Developments in Data Breach & Privacy Litigation” panel at the NetDiligence Summit held in Philadelphia in July. We asked him about major topics of interest during the panel and which ongoing issues he’ll be closely watching in the coming months.
At the Summit, you talked about the recent TransUnion LLC v. Ramirez ruling. Why is this an important case?
In this class action, the defendant TransUnion had erroneously tagged certain consumer files as being positive for an OFAC check (i.e., mistakenly named on a terrorist watch list), which impacted the defendant’s ability to purchase a car when his credit report was shared with a car dealership. The Supreme Court ruled that a certain portion of the class didn’t have Article III standing—specifically, members of the class action suit whose information wasn’t shared by TransUnion with a third party). Ramirez had argued that these class members were at increased risk of future harm and therefore had Article III standing.
The issue our panel discussed is whether the Court’s ruling signals that “risk of future harm” is insufficient for Article III standing purposes in data breach cases. This was a FCRA cases, and not a data breach class action, so there is some debate as to how much of the opinion can be applied to the data breach context, but at a minimum TransUnion at least gives defense attorneys a very useful “headline” argument that the Supreme Court does not believe fear of future harm is sufficient for federal court jurisdiction in cases seeking monetary damages.
How might the TransUnion decision intersect with the Illinois Biometric Privacy Act?
There are a few privacy statutes, particularly at the state level, that permit statutory damages for violations that arguably may not constitute a concrete injury under TransUnion. One of these laws is the Illinois Biometric Protection Act, or BIPA. As background, BIPA allows for statutory damages where a company collects, scans, captures, purchases, receives or otherwise obtains someone’s biometric data without informing them and getting their consent. From a defendant’s standpoint, many of these lawsuits are simply technical violations of a law but don’t really amount to “concrete harm” because nothing bad has happened to a consumer.
TransUnion’s impact on BIPA could be of great interest to insurers as there has been a huge surge in BIPA filings this last year. We’re presently seeing 20-30 new BIPA lawsuits each week.
In full candor though, even if TransUnion is read to narrow the scope of BIPA claims in federal court, I don’t know how much impact the case is ultimate going to have because most of the BIPA cases are filed in state, and not federal court.
You offered some predictions for the upcoming year. What are the cases and issues that concern you most?
There are several pending cases in Illinois appellate courts addressing various contentious issues under the BIPA, one of which has to do with whether or not claims are subject to a one-year statute of limitations or two years.
Another issue being fought heavily is whether vendors are subject to BIPA There’s also an issue as to aggregate claims with statutory damages. For example, do you count each time there’s a scan without the required consent as a separate violation of the law or only the initial scan?
Outside of BIPA is the Capital One case, which addressed the issue of whether forensic reports are privileged in data breach litigation. The court in Capital One found that a forensic report generated by a forensic consultant was not privileged, which alarmed a lot of defense attorneys and insurers, because we’ve always operated on the opposite presumption. Principally, the court found that the report was not privileged because the forensic consultant was already operating under a master services agreement with the company.
In another opinion that came out recently, a court found that a report wasn’t privileged, with very similar factual findings. It does seem as though courts are leery of the notion that an attorney can simply come into an engagement that already exists, put their name on a letter and somehow privilege everything.
Instead, there has to be a separate letter of engagement—a very clear, substantive legal basis for the law firm to be retaining that expert that can be tied back credibly to either future litigation or a demonstrable legal purpose. So, again, I think that’s an issue that we’re going to see played out quite a bit over the next couple of years.
What’s happening on the state privacy law front?
California has had a comprehensive data privacy law since 2020. Since then, Virginia and Colorado have passed their own laws, and California has expanded its existing law. There are numerous other states that have proposed laws but haven’t yet passed them. It’s pretty likely that some of those states will do so in the next year or so, most likely Connecticut and Washington as those two states were very close to passing new laws this year.
One of the questions that the panel discussed is how to assess what regulators will care about the most in the future. What sort of things will plaintiff’s lawyers seize upon to start bringing litigation? One way to answer those questions is to look at what the California AG is doing. Right now, the California AG is in the process of bringing enforcement actions against companies that violated CCPA and the office has published summaries of the proceedings online.
Looking at what kind of enforcement actions the California AG is bringing tells us a lot about the likely privacy flashpoints in the future, where we may see litigation or additional legislation. That’s the best way to predict the future.
In summary…
We want to thank Phil for his expert Breach Coach® insights. The cyber insurance community that we support will be paying attention to important topics raised, such as damages for “future harm” and BIPA litigation trends as well as the increasingly more nuanced mosaic of state laws as they evolve. To learn more from Phil, you can watch the above-mentioned panel he moderated at our NetDiligence Cyber Summit. Phil has also published a book, Cyber Litigation: Data Breach, Data Privacy & Digital Rights.