Computer Law Reporter A MONTHLY JOURNAL OF COMPUTER LAW AND PRACTICE
Publisher: Neil J. Cohen, Esq.
Volume 60, Number 2 Washington, D.C. October 2014
HIGHLIGHTS Contents Page
The most noteworthy decisions this month are Website Marketing Statements: the following: The Achilles’ Heel to
• In Gomez v. Campbell-Ewald Co. No. 13-55486 CDA Protection?...... 6 (9th Cir. Sep. 19, 2014), in a case where the Navy hired an advertising agency to obtain recruitments Is Target Liable to and the agency hired a contractor to send unsolicited text messages, the Ninth Circuit reversed a District Card-Issuing Banks?...... 9 Court ruling that the agency was immune from liability because a defendant may be held vicari- ecent ecisions ...... 27 ously liable for TCPA violations where the plaintiff R D establishes an agency relationship, as defined by federal common law, between the defendant and a est of the logs ...... 51 third-party caller. B B • In In re Adobe Systems, Inc. Privacy Litigation, 13–CV–05226–LHK (N.D. Cal., Sep. 4, 2014), in Documents this consolidated action, plaintiffs seek injunctive and declaratory relief and restitution on behalf of a class of Adobe customers whose personal infor- Opinion, Gomez v. Campbell-Ewald Co. mation was accessed by hackers during a breach of Adobe’s servers. The Court reaffirmed a Ninth Opinion, In re Adobe Systems, Inc. Circuit opinion to the effect that an imminent threat that hacked personal information will be misused is Privacy Litigation sufficient to provide Article III standing, even if the misuse is not absolutely certain to occur. Contrary Opinion, Ades v. Omni Hotels to some other district courts, the Court did not read the Supreme Court’s Clapper decision as holding Management Corp. (Doc. No. 80) that the threat of misuse of hacked data is generally insufficient to confer standing on plaintiffs whose Opinion, Ades v. Omni Hotels data was taken but has not yet known to have been Management Group misused. The Court also held that a state law resti- (Doc. No. 81) tution claim could be brought here even though the named plaintiffs did not subscribe to all the Adobe Opinion, Jung v. Chorus Music Studio services that are encompassed within the proposed class definition. With respect to most of the named plaintiffs, the Court denied the motion to dismiss in Opinion, Remijas v, Neiman its entirety. Marcus Group, LLC (continued on page 4)
Subscription price $3575 for one year. Published monthly by Computer Law Reporter, Inc., 1601 Connecticut Avenue, N.W., Suite 701, Washington, D.C. 20009 • Tel: 202-462-5755 • Fax: 202-328-2430 • ISSN: 0739-7771 • Copyright © 2014 Computer Law Reporter, Inc. All Rights Reserved. Publications Director: John G. Herring. Production Manager: Kristina M. Reznikov. The views expressed herein do not necessarily represent those of the Editors or members of the Board of Editors. Comments on Our Other Publications . . .
The Bank and Corporate Governance Law Reporter is a monthly publication designed to serve litigators. It includes opinions, briefs, and transcripts of oral arguments in key FIRREA, FIDICIA, and corporate gover- nance cases. Subscribers receive articles on cutting-edge issues, analyses of cases in the context of prior law, and detailed indexes.
"The Reporter probes beneath the surface of reported opinions in major M&A cases and gives to the reader ready access to the cutting-edge arguments made by leading practitioners in the field. It is a critical tool for anyone seriously interested in staying one step ahead of developing legal trends in the area."
A. Gilchrist Sparks III Morris, Nichols, Arsht & Tunnell PRICE: $4275/YEAR
Many lawyers have discovered that the Chemical Waste Litigation Reporter is the most effective and compre- hensive publication to obtain, organize and digest the flurry of judicial opinions in Superfund and related insurance, toxic tort and commercial cases. No other service publishes the decisions, organizes them under issue headings, and analyzes them in the context of existing case law.
"We are very pleased with your reporter and believe that it provides a very useful tool both in litigation and counseling clients in the area of hazardous waste."
Charles Tisdale, Jr. King & Spalding
"The Reporter is an invaluable blend of published cases, briefs, news and analysis on the cutting edge of haz- ardous waste litigation. This publication is also a valuable research tool. Its well-organized index of relevant CERCLA provisions allows rapid identification of cases on point."
Michael A. Brown McCutchen, Doyle, Brown & Enersen PRICE: $3775/YEAR
Many lawyers believe that the RICO and Securities Fraud Law Reporter is the most effective and compre- hensive of the civil RICO reporting services. No other service publishes the decisions, organizes them under issue headings, and analyzes significant new decisions in the context of existing case law. Such headings in- clude Arbitration, Burden of Proof, Conspiracy, Discovery, Enterprise, Equitable Relief, Evidence, Forfeiture/ Disgorgement, Jurisdiction, Pattern, Pleadings, Predicate Acts, Res Judicata, Sanctions, and Standing. Also included every six months is a Cumulative Decision Index.
"The RICO and Securities Fraud Law Reporter is more than a 200-page monthly legal newsletter. By con- tinuously publishing timely articles and analyzing and synthesizing the published opinions, the editors have created, in effect, a first-rate civil RICO treatise, updated monthly."
Frank C. Razzano Pepper Hamilton LLP PRICE: $3725/YEAR To order, call 202-462-5755
Visit us on the Web at http://www.lawreporters.com Computer Law Reporter 1601 Connecticut Avenue, N.W., Suite 701, Washington, DC 20009 • 202-462-5755 • Fax 202-328-2430
Board of Editors
Fred M. Greguras, Esq. Richard H. Stern, Esq. K&L Gates Kellogg Huber Hansen 630 Hansen Way Todd, Evans & Figel, PLLC Palo Alto, CA 94304 1615 M Street, NW Suite 400 Washington, DC 20036 Tobey B. Marzouk, Esq. Marzouk & Parry 1120 19th Street, N.W. J.T. Westermeier, Esq. Seventh Floor Finnegan, Henderson, Farabow, Washington, DC 20036-3605 Garrett & Dunner, LLP 11955 Freedom Drive 8th Floor Michael F. Mason, Esq. Reston, VA 20190-5675 Hogan & Hartson 555 13th Street, N.W. Washington, DC 20004-1109 E. Robert Yoches, Esq. Finnegan, Henderson, Farabow, Garrett & Dunner, LLP Gary J. Rinkerman, Esq. 1300 I Street, N.W. Drinker, Biddle, & Reath LLP Washington, DC 20005-3315 1500 K Street, NW Washington, DC 20005
Professor Stephen Saxby Faculty of Law Southampton University Highfield, Southampton S017 1BJ U.K.
Volume 60, Number 2, October 2014. Copyright © 2014 Computer Law Reporter, Inc. All Rights Reserved
3 • In Ades v. Omni Hotels Management Corp., No. 2:13–cv–02468–CAS(MANx) (Doc No. 80) (C.D. Cal. Sep. 8, 2014), in this case involving callers to a toll-free phone number whose calls allegedly were recorded without their consent, the Court granted the motion for class certification, holding that the class was reasonably ascertainable and the require- ments of Federal Rule 23 had been met. The Court explained that a class action was supe- rior to individual suits because it was unclear that the statutory damages available under the California Invasion of Privacy Act would incentivize individual actions. The Court also suggested that the possibility that an aggregate damages award for the class would be massive and raise Due Process/proportionality concerns was not a proper consideration at the class certification stage and should not preclude certification, particularly given that the California legislature had expressly adopted and retained $5,000 as the minimum statutory damages for each violation of CIPA.
• In Ades v. Omni Hotels Management Group, No. 2:13–CV–2468–CAS(MANx) (Doc. No. 81) (C.D. Cal. Sep. 8, 2014), in this class action lawsuit seeking statutory damages under the California Invasion of Privacy Act (CIPA) based on the alleged recording of cus- tomer calls without consent, the Court denied the defendants’ motion for summary judg- ment. The Court held that California law applied even though the call center was located in Nebraska. The Court also held that application of CIPA to calls made by Californians to the call center in Nebraska did not violate the Dormant Commerce Clause. The Court explained that there was a triable issue as to whether the call center could identify the state of origin of callers, and hence could treat calls from California differently from calls from other states. The Court also suggested that even if CIPA incentivized national call centers to comply with CIPA with respect to all incoming calls, CIPA did not necessarily violate the Dormant Commerce Clause. Indeed, CIPA did not in any way represent extraterritorial regulation. The Court also found no merit in defendants’ other arguments for summary judgment.
• In Jung v. Chorus Music Studio, No. 13–CV–1494 (CM)(RLE) (S.D. N.Y. Sep. 11, 2014), the Courts of Appeals are split as to whether the Computer Fraud and Abuse Act (CFAA) creates liability whenever an employee misuses a workplace computer by using information contained on it for improper purposes or whether, more narrowly, it creates liability only when the employee accessed a computer that he or she was altogether pro- hibited from using. In opposing the filing of a CFAA counterclaim as futile, the plaintiffs in this case argued that the Second Circuit had embraced the narrow view of the CFAA as creating liability only for unauthorized access to an employer’s computer. The Court, however, read the Second Circuit precedent as inconclusive on this issue and allowed the proposed counterclaim to be filed against a named plaintiff who was authorized to use the
4 computer at issue but who allegedly misused the information he found on it for his own personal business venture. The Court thus suggested that it may agree with the broad view of the CFAA as creating liability for misuse of employer information, although the Court did not squarely rule on that issue in this opinion. • In Remijas v, Neiman Marcus Group, LLC, No. 14 C 1735 (N.D. Ill. Sep. 16, 2014), the Court held that department store customers whose credit card information was or may have been stolen lacked standing to sue the department store. Even with respect to those customers whose data actually was stolen and who had fraudulent charges made to their credit cards, there was an insufficiently concrete injury for Article III standing, because those customers presumably had those fraudulent charges removed from their accounts and were not forced to pay them. The time and effort dealing with fraudulent charges was dismissed by the Court as de minimis and insufficient to qualify as a concrete injury. The Court also was unpersuaded by the plaintiffs’ “creative” theory that they overpaid for the defendants’ products because the prices for those products should have included defen- dant’s costs of providing adequate data security, which in fact was not provided. The Court did hint that more specific allegations of harm from incurring fraudulent charges on the part of individual plaintiffs might be sufficient to establish standing.
5 Website Marketing Statements: The Achilles’ Heel to CDA Protection? Jeffrey D. Neuburger*
It’s no secret that local directory/consumer review websites are popular among con- sumers looking for recommendations before dining out, hiring a contractor, or even pick- ing a dentist or day spa. Yelp reported around 138 million monthly unique visitors in the second quarter of 2014, searching among over 61 million local reviews. The bottom line is that solid reviews and multiple stars on local search sites can drive sales; on the other hand, and to the chagrin of business owners, low ratings and a spate of one-star rants displayed prominently at the top of a listing can drive customers away.
Review sites typically have to wrestle with the problem of unreliable or fictitious re- views, which are blurbs written by friends or employees of the listed business, paid reviews, and negative reviews written by business competitors. Some sites use filtering software to identify and remove unreliable reviews – of course, such software is not perfect, and businesses have complained that some sites have filtered out legitimate reviews, but left in other fake reviews to the detriment of the reviewed businesses.
A number of businesses have brought suit against consumer review sites claiming that they purposely remove positive reviews (but leave up defamatory complaints), arbitrarily reorder the appearance of reviews, or otherwise wrongfully tinker with the algorithms that are supposed to weed out “fake” reviews presumably to encourage or “extort” businesses to purchase advertising or pay for additional features.
Most suits that have sought to hold sites responsible for defamatory content created by third-party users have been rejected by courts based upon CDA Section 230, which im- munizes “interactive computer services” – such as a consumer review websites – where liability hinges on content independently created or developed by third-party users.
To get around the broad immunity, some businesses have urged courts to interpret an intent-based exception into Section 230, whereby the same conduct that would otherwise be immune under the statute (e.g., editorial decisions such as whether to publish or de-pub- lish a particular review) would be actionable when motivated by an improper reason, such as to pressure businesses to advertise. However, several courts have rejected this theory.
* Jeffrey D. Neuburger is a partner with Proskauer Rose LLP and Co-Chair of Technology, Media & Com- munications for the firm. This article originally appeared on the firm’s blog at newmedialaw.proskauer.com. Copyright © Proskauer Rose LLP. Reprinted by permission.
6 • Reit v. Yelp!, Inc., 29 Misc 3d 713 (N.Y. Sup. Ct. 2010) (Yelp’s selection of the posts it maintains on its site can be considered the selection of material for publication, an action “quintessentially related to a publisher’s role,” and therefore protected by CDA immunity)
• Levitt v. Yelp! Inc., 2011 WL 5079526 (N.D. Cal. Oct. 26, 2011) (our prior post on the Levitt opinion) (CDA Section 230 contains no explicit exception for impermissible edi- torial motive, particularly since traditional editorial functions often include subjective judgments that would be “problematic” to uncover, thereby creating a chilling effect on online speech that Congress sought to avoid). Note, on appeal, the Ninth Circuit affirmed the district court’s dismissal of the plaintiffs’ claims – though not on the basis of CDA Section 230 – alleging Yelp extorted advertising payments from them by pur- potedly manipulating user reviews.
• Kimzey v. Yelp Inc., 2014 WL 1805551 (W.D. Wash. May 7, 2014) (mere fact that an interactive computer service “classifies” user characteristics and displays a “star rating system” that aggregates consumer reviews does not transform it into a developer of the underlying user-generated information).
However, in recent disputes, businesses have sought an end run around CDA Section 230, specifically by bringing claims that do not treat the websites as publishers or speakers of the defamatory or fictitious user reviews, but instead relate to the website’s marketing representations about such content. At least two courts have allowed such claims to go forward, bypassing CDA immunity.
In one such case, Moving and Storage, Inc. v. Panayotov, 2014 WL 949830 (D. Mass. Mar. 12, 2014), the plaintiffs alleged that a moving company review website (that itself was operated by a moving company) intentionally deleted positive reviews of the plain- tiffs’ companies and deleted negative reviews that criticized its own company to gain mar- ket share, all the while representing that the site offered “the most accurate and up to date rating information.” The court concluded that CDA Section 230 did not bar plaintiffs’ false advertising and unfair competition claims because they were not based on information provided by “another information content provider,” and did not arise from the content of the reviews.
Most recently, a California appellate court reversed a lower court’s dismissal of an action against Yelp over alleged false advertising regarding its automated review filter. In Demetriades v. Yelp, Inc., 2014 WL 3661491 (Cal. App. July 24, 2014), the plaintiff brought state law claims for unfair competition and false advertising alleging that Yelp en- gaged in false advertising based upon marketing statements stating that user reviews passed
7 through a filter that gave consumers “the most trusted reviews” and only “suppresse[d] a small portion of reviews.” The plaintiff alleged that Yelp’s statements about its filtering practices were mislead- ing because its filter suppressed a substantial portion of reviews that were trustworthy and favored posts of the “most entertaining” reviews, regardless of the source. The lower court had previously granted Yelp’s motion to strike the plaintiff’s complaint under California’s anti-SLAPP provisions, which aim to curb “lawsuits brought primarily to chill the valid exercise of the constitutional rights of freedom of speech and petition for the redress of grievances.” Cal. Code Civ. Pro. §425.16 (a). The appellate court reversed, holding that false advertising-like claims involving commercial speech fell outside the reach of the anti- SLAPP statute and that Yelp’s representations about its filtering software—as opposed to the content of the reviews themselves—were “commercial speech about the quality of its product.” Regarding the application of CDA Section 230, the court rejected Yelp’s argument that plaintiff’s claims should be dismissed because courts have widely held that claims based on a website’s editorial decisions (publication, or failure to publish, certain third-party conduct) are barred by Section 230. In a brief paragraph, the appellate court stated that the CDA was inapplicable because the plaintiff was not seeking to hold Yelp liable for the statements of third-party reviewers, but rather for its own statements regarding the accu- racy of its automated review filter. Companies, frustrated with their portrayal on online review sites, have mostly struck out when seeking to hold website operators liable for managing and displaying user-gen- erated reviews. However, this past year, some courts have offered companies another potential avenue at obtaining relief. While the courts merely allowed the claims related to marketing representations to survive dismissal at the early stages of litigation, it is uncer- tain how either court will rule on the merits. With this in mind, sites that collect and manage user-generated content, or otherwise use automated filtering software to manage content, should examine marketing statements on their websites for any language that goes beyond mere puffery and might be construed as misleading.
8 Is Target Liable to Card-Issuing Banks?
Publisher’s Introduction
Beginning on the next page is an amicus brief on behalf of internet com- panies seeking certiorari in the Supreme Court to overturn the Ninth Circuit’s decision in Spokeo v. Robbins, holding that a statutory violation without dam- ages is sufficient to confer Article lll standing. The petitioners argue that there is a split in the Circuits and that enforcement of pure statutory rights should be left to the government.
9 Computer Law Reporter
! ! CASE 0:14-md-02522-PAM Document 185 Filed 09/02/14 Page 1 of 34 CASE 0:14-md-02522-PAM Document 185 Filed 09/02/14 Page 2 of 34
UNITED STATES DISTRICT COURT TABLE OF CONTENTS DISTRICT OF MINNESOTA I. SUMMARY OF PERTINENT FACTUAL ALLEGATIONS ...... 1
A. The Criminal Intrusion on Target’s Computer Network...... 1
In re: Target Corporation Customer Data B. The Parties and Their Roles in the Payment Card Networks...... 2 Security Breach Litigation MDL No. 14-2522 (PAM/JJK) II. SUMMARY OF THE ARGUMENT ...... 3
III. LEGAL STANDARD ...... 4 This Document Relates to: All IV. ARGUMENT ...... 5 Financial Institution Cases A. The Banks’ Negligence Claim Must Be Dismissed...... 5
1. The Banks Fail to Plead that Target Owed Them a Duty of Care...... 5
2. The Banks’ Allegations of Breach of Duty Fail to Satisfy
92 Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Iqbal and Twombly ...... 14 Savings of Lorain, individually and on B. The Banks’ Claim For Negligent Misrepresentation by Omission behalf of a class of all similarly situated Must Also Be Dismissed...... 16 financial institutions in the United States, 1. The Banks Fail to Allege that Target Owed Them a Duty of Care...... 17 Plaintiffs, 2. The Banks Fail to Allege Any Actionable Misrepresentation vs. by Omission...... 21 3. The Banks Have Failed to Allege Reliance...... 25 Target Corporation, C. The Banks’ Claim For Violation of the Minnesota Plastic Card Security Act Must Be Dismissed ...... 26 Defendant. 1. The Banks Fail to Allege that Target Retained Any Payment
Card Data in Violation of the Minnesota Plastic Card Security Act...... 26
2. The Minnesota Plastic Card Security Act Only Applies to DEFENDANT’S MEMORANDUM OF LAW IN SUPPORT OF MOTION TO Business Conducted in Minnesota...... 29 DISMISS THE CONSOLIDATED CLASS ACTION COMPLAINT D. Because the Banks Have Failed to State a Claim For Violation of the Minnesota Plastic Card Security Act, They Have Likewise Failed to State a Claim For Negligence Per Se Based on that Act...... 30 V. CONCLUSION ...... 30
i Computer Law Reporter
! ! CASE 0:14-md-02522-PAM Document 185 Filed 09/02/14 Page 3 of 34 CASE 0:14-md-02522-PAM Document 185 Filed 09/02/14 Page 4 of 34
Target Corporation (“Target”) submits this memorandum of law in support of its B. The Parties and Their Roles in the Payment Card Networks.
Motion to Dismiss Plaintiffs’ Consolidated Class Action Complaint (“Complaint”). The Banks are headquartered in Oregon, Massachusetts, Minnesota, Louisiana,
I. SUMMARY OF PERTINENT FACTUAL ALLEGATIONS and Ohio. Compl. ¶¶ 7–12. Target is a Minnesota corporation with retail locations
A. The Criminal Intrusion on Target’s Computer Network. throughout the United States. Compl. ¶¶ 13–14.
On December 19, 2013, Target announced that it had been the victim of a criminal Payment card issuers like the Banks participate in an “extensive network of
attack on its computer network by third-party intruders (the “Intrusion”), which had been financial institutions” that together process retail payment card transactions. Compl. ¶ 18.
confirmed only four days earlier. Compl. ¶ 68 n.2. The Intrusion was carried out by This process begins with a financial institution, like the Banks, issuing a payment card to
sophisticated criminal hackers (Compl. ¶ 103), who gained access to Target’s network a consumer. The consumer then may choose to use that payment card to make purchases
through credentials they stole from a third-party vendor whom Target retained for HVAC at retail merchants, such as Target. Compl. ¶ 17. When this occurs, the merchant obtains maintenance. Compl. ¶¶ 41, 46. Once inside the Target network, the hackers deployed authorization and payment for the transactions not from the bank that issued the card (the
custom point-of-sale malware to Target’s registers, which collected credit and debit card “issuing bank”), but rather from a payment processor and/or a merchant bank (an
(jointly, “payment card”) information “in real time” when customers swiped their cards at “acquiring bank”) that has contracted with the merchant to handle the transaction. Id.
Target registers between December 2, 2013 and December 15, 2013. Compl. ¶¶ 49, 56. The acquiring bank in turn obtains authorization and payment under its separate contract
Target’s security measures were certified by an independent auditor as compliant with a payment card company such as Visa and MasterCard (the “Card Brands”), and the
with “all payment industry requirements” and included “state of the art” tools that Target Card Brand in turn obtains authorization and funding under its separate contract with the
invested substantial resources to acquire. Compl. ¶¶ 28, 34, 44. However, plaintiffs – a issuing bank. 1 Thus, issuing banks and merchants have no direct dealings with one
group of five payment-card-issuing banks, credit unions, and savings associations (the another in the payment card transaction process.
“Banks”) (Compl. ¶¶ 7–12) – nonetheless assert that Target is to blame for not preventing
the Intrusion. Compl. ¶¶ 2, 86. They claim resulting financial losses that include costs 1 See Visa International Operating Regulations (Oct. 15, 2013), at *49, *51, *941, *1019 associated with reissuing payment cards to customers and reimbursing fraudulent charges. (Decl. of Douglas H. Meal (“Meal Decl.”), Ex. A) (providing that acquirers and issuers are both “Members” who contract with Visa and are subject to Visa’s Operating Id. Regulations). Because the Card Operating Regulations are “necessarily embraced by the pleadings,” see, e.g., Compl. ¶¶ 17–18, the Court may consider them on a motion to dismiss. Twin City Sprinkler Fitters v. Total Fire Prot., Inc., No. Civ. 02-930 PAMRLE, 2002 WL 31898170, at *1 n.1 (D. Minn. Dec. 26, 2002). See also Banknorth v. BJ's
1 2 Computer Law Reporter
! ! CASE 0:14-md-02522-PAM Document 185 Filed 09/02/14 Page 5 of 34 CASE 0:14-md-02522-PAM Document 185 Filed 09/02/14 Page 6 of 34
The Card Brands have issued comprehensive regulations governing these already has addressed the issue of when a merchant might be liable to an issuer following
processes (“Card Operating Regulations”). Compl. ¶ 18. Although merchants do not a data breach; (ii) the contractual regime upon which the Banks base many of their claims
contract directly with the Card Brands, the Banks allege that the Card Operating already provides a system under which issuers may be compensated following a data
Regulations are incorporated into merchants’ contracts with acquiring banks. Id. The breach; and (iii) courts in other jurisdictions already have refused to impose common-law
Banks also allege that merchants are contractually bound to comply with the Payment tort duties based on similar allegations, the facts alleged here do not justify the imposition
Card Industry Data Security Standard (“PCI-DSS”), which sets forth information security of new and unprecedented common-law tort duties under Minnesota law. Even if that
requirements by the Payment Card Industry Security Standards Council, through an were not the case, the Banks’ failure to plead other elements of their claims, such as
unspecified agreement. Id. ¶¶ 19, 129. breach, an actionable misrepresentation by omission, or reliance, would nonetheless
II. SUMMARY OF THE ARGUMENT require dismissal.