When Your Electronic Data Isn’t Safe

Just last week it was reported that millions of government workers’ private information might have been compromised by hackers. The Associated Press reports that hackers may have obtained critical personal information, such as name, Social Security Number, date and place of birth, job assignments, training files, performance ratings and current and former addresses.
As more and more information is exchanged electronically, privacy issues arising from companies’ storing, accessing, and mishandling of that information will only continue. Two recent cases in which courts came to different results on the issue of whether to certify class actions of victims of data breaches highlight how consumers and their attorney may want to deal with companies who possess (and lose) consumers’ personal information.

In one case, Philadelphia Court of Common Pleas Judge Mary Colins refused to certify a proposed class of over 200,000 individuals whose personal and health information was allegedly compromised by an insurer, Keystone Mercy Health Plan and Amerihealth Mercy Health Plan. The alleged mishandling of information occurred when employees copied personal data onto a flash drive and subsequently misplaced the drive. In her ruling against the plaintiff, who filed suit on behalf of his special-needs minor daughter, Judge Colins stated that under the Unfair Trade Practices and Consumer Protection Law (UTPCPL), the plaintiff failed to show that the insurers “acted deceptively in their pledges of security, nor did they lose any personally identifying information such as his daughter’s Social Security number or name and address.” Since the only information lost relating to the daughter was her member ID and health screening information, Judge Colins ruled that the plaintiff could not represent the proposed class members who actually did lose protected data.

In the other case, U.S. District Judge Lucy Koh of the Northern District of California allowed a class action lawsuit against Yahoo to move forward. The suit was brought on behalf of non-Yahoo mail subscribers who claim their emails were scanned, without permission, by Yahoo for keywords to use in their “targeted advertising.” The plaintiffs are seeking an injunction for Yahoo to stop scanning emails absent consent. In her ruling, Judge Koh certified a nationwide class under the Stored Communications Act and a California-only subclass under California’s Invasion of Privacy Act.

Judge Koh has previously denied class certification in a similar suit against Google for its impermissive scanning of emails to compile secret account profiles and target advertising. In the Google ruling, Judge Koh focused on whether the plaintiffs consented to Google’s alleged scanning of emails.

Ultimately, Judge Koh held that the consent issues were too different to combine into a class action, and that the inquiry into whether each user impliedly consented would “lead to numerous inquiries that will overwhelm any common questions.” Despite her denial of class certification, Judge Koh stated that Google’s term of service may not be explicit enough to constitute consent, which led Google to update its terms of service to more specifically outline its practices. Some privacy activists saw that as a step in the right direction.

The defense for Yahoo tried to analogize their case to Google’s and argued that individual inquiries into whether class members consented to Yahoo’s conduct would overshadow common questions. Judge Koh was not persuaded. In her ruling, Judge Koh wrote that the plaintiffs “made the strategic decisions” to only seek an injunction, rather than damages, and thus bear a lesser burden than those of the Google plaintiffs. Here, Judge Koh explained, the “plaintiffs need only show the existence of a common question of law or fact that is significant and capable of classwide resolution.”

Confronted by the rapid technological advances and the archaic laws not written with modern mass technologies in mind, attorneys are having to get creative in their approach to successfully bring a privacy lawsuit. The class certification by Judge Koh opens a door for other privacy suits to overcome the class certification hurdle by only seeking injunctions.

*Special thanks to Luke Zhu, JD/MBA Candidate, for his research and assistance in drafting this article.