The Government Can Sue for a Privacy or Data-Security Violation. What Are the Limits of that Government Power?

Consumers and businesses aren’t the only sources of potential privacy and data-security litigation. Today’s post looks at another important source: the Federal Trade Commission and state consumer-protection regulators.

In many cases, government enforcers don’t have express authority to sue for “privacy” or “data security” violations. Instead, the FTC often sues based on its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive acts and practices. State enforcers invoke their authority under Section 5’s state-law analogues, like N.C. Gen. Stat. §75-1.1. The enforcers argue that the failure to protect consumers’ sensitive data constitutes an “unfair” business practice.    

A new decision from a federal court in California, called FTC v. D-Link Systems, explores the limits of this theory. This post discusses two specific issues from D-Link:

  • Can the FTC use its “unfairness” authority under Section 5 to regulate companies’ data security practices?
  • Can an “unfairness” claim lie under Section 5 without an allegation that consumers suffered either (a) monetary loss or (b) actual disclosure of their sensitive personal data?

The Best Possible Security?

D-Link Systems sold routers and internet-connected security cameras and video baby monitors. D-Link’s marketing materials and user manuals touted the products’ security features. The materials said that the products included “the latest wireless security features to help prevent unauthorized access” and “the best possible encryption.”

Not so, according to the FTC. The Commission claimed the software for D-Link’s products had clear security flaws—flaws that allowed attackers to access the devices over the Internet and to observe consumers through their cameras, or to steal sensitive information stored on a consumer’s home network. 

The FTC sued D-Link, alleging (among other claims) that D-Link’s failure “to take reasonable steps to secure the software” for their routers and cameras amounted to an “unfair” act or practice that violated Section 5. Notably, the FTC did not allege that any consumer had actually been spied on or had their data stolen—just that those harms could result from the security flaws in D-Link’s products.

No Harm, No Foul? 

D-Link moved to dismiss the unfairness claim on two broad grounds.

First, D-Link generally objected to the FTC’s use of its unfairness authority to regulate data security.  According to D-Link, “Section 5 says nothing about data security,” and “[i]f Congress wanted the FTC to regulate data security for the entire economy, it would have clearly said so.”  Even if Section 5 gave the FTC the authority to regulate data security, D-Link argued, the FTC had not given D-Link fair notice—through the formal adoption of clear standards—of “what data-security practices for routers and IP cameras the FTC believes Section 5 to prohibit or to require.”

Second, D-Link argued, the FTC had failed to adequately allege that D-Link’s practices in this case caused or were likely to cause substantial injury to consumers—a necessary element of an unfairness claim under Section 5. The statute, said D-Link, required the FTC to allege actual physical or monetary harm to identifiable consumers. 

It Means What We Say It Means

The court rejected out of hand D-Link’s general challenge to the FTC’s unfairness authority. It explained that “unfairness” was “by its very nature, a flexible concept with evolving content.” That data security was not expressly enumerated in Section 5 thus did not affect the FTC’s ability to exercise its authority to regulate companies’ data security practices. In that regard, the court cited approvingly to FTC v. Wyndham Worldwide Corp., a Third Circuit case from 2015 that rejected the same argument.

The court also rejected D-Link’s “fair notice” argument. Even though adopting specific data-security standards might in theory be “an optimal way” for the FTC to proceed, said the court, the law did not require this as a precondition for bringing an enforcement action. Rather, the FTC had discretion to proceed through individual, ad hoc litigation. And in the court’s view, that approach was especially appropriate in the realm of data security: “data security is a new and rapidly developing facet of our daily lives, and to require the FTC in all cases to adopt rules or standards before responding to data security issues faced by consumers” would be impractical.

What’s the Harm?            

The court agreed with D-Link, however, that the FTC had not adequately pleaded the “injury” element of its unfairness claim. According to the court, the FTC’s failure to allege facts showing that consumers suffered a monetary loss, or had their sensitive personal data accessed or exposed, was fatal to the FTC’s claim. The absence of such facts, despite the FTC undertaking a thorough investigation, indicated that it was just as possible that D-Link’s devices were not likely to substantially harm consumers.

The court therefore dismissed the unfairness claim, but then gave the FTC leave to amend—and a roadmap on how to avoid dismissal the second time around. 

According to the court, rather than relying on the risk of future harm to consumers from a compromised device, the FTC might instead frame the “injury” to consumers as an overpayment for the devices themselves.  The court explained that a consumer’s purchase of a device that was not reasonably secure—let alone as secure as advertised—would be “in the ballpark” of a substantial injury, particularly if that injury were suffered by a large group of consumers.  

Lessons for Companies

D-Link contains some important lessons for companies.

First, the decision confirms that the FTC can use its unfairness authority under Section 5 to regulate data security, and that it can use ad hoc enforcement actions rather than formally-adopted rules and standards. Absent such rules or standards, companies would be well-advised to stay abreast of the informal guidance that the FTC makes available on its website and Business Blog, and of the actions that it brings against other companies.

Second, the court’s invitation for the FTC to amend its unfairness claim to focus on consumers’ purchase of devices they expected to be secure may lead regulators, just like consumers, to use “overpayment” theories to avoid dismissal of data-security lawsuits.

Author: Alex Pearce

Section 75-1.1 and Trial Evidence

When a claim for violation of N.C. Gen. Stat. § 75-1.1 goes to trial, what analytical framework governs the admissibility of evidence related to that claim?

Today’s post studies a recent decision by Judge Louis A. Bledsoe, III in the North Carolina Business Court that raises this question.

When an Asset Purchase Did Not Materialize, a Lawsuit Did

Insight Health Corporation v. Marquis Diagnostic Imaging of North Carolina concerns a lease agreement for an MRI scanner.

The plaintiff, Insight, provided one of the defendants, Marquis Diagnostic Imaging of North Carolina (MDI), with a scanner, support staff, and related services. In exchange, MDI paid Insight a monthly fee. Insight and MDI entered the agreement in 2012.

Roughly one year later, MDI closed its doors and sold its assets to another company. MDI stopped using the scanner—and stopped paying Insight.

MDI realized $1.15 million from its asset sale. None of that $1.15 million was paid to Insight. Insight then sued MDI for breach of contract and violation of section 75-1.1.

MDI and its co-defendants responded with affirmative defenses and counterclaims related to negotiations between Insight and MDI that predated the 2012 lease agreement. In those negotiations, Insight showed interest in buying MDI’s assets. Negotiations continued through the middle of 2013, but ultimately failed.

MDI characterized the failed negotiations and the 2012 lease agreement as related events. Judge Bledsoe, however, concluded otherwise, and dismissed or entered summary judgment on the defenses and counterclaims related to the failed negotiations.

The case is now headed to a trial set for November 6. In connection with the trial, Insight filed a pretrial motion to bar MDI from introducing evidence or argument about the negotiations that led up to the failed asset purchase.

The Key to Admissibility? The Plaintiff’s 75-1.1 Theory

When it asked Judge Bledsoe to bar evidence of the failed negotiations, Insight relied on Rules 401 and 402 of the Rules of Evidence. Those rules require evidence to be relevant in order to be admissible.

The motion put the ball in MDI’s court. Because the Court had dismissed MDI’s counterclaims and affirmative defenses based on the failed negotiations, what relevance might evidence of the negotiations have on Insight’s claims?

MDI told Judge Bledsoe that evidence of the failed negotiations will give the jury context about MDI’s breach of the MRI agreement.  More specifically, MDI seeks to convince the jury that MDI did not refuse to pay Insight in bad faith, but legitimately thought that it had a legal right not to do so.

MDI offered a second reason, as well: evidence of the negotiations will demonstrate to the jury MDI’s financial condition leading up to MDI’s breach of the MRI agreement.

To assess the admissibility of this evidence, Judge Bledsoe examined each of Insight’s claims—including, and especially, Insight’s claim for violation of section 75-1.1.

In particular, Judge Bledsoe tried to pinpoint the theory behind the 75-1.1 claim.

Judge Bledsoe first referred to the general rule that a defendant’s good faith is not a defense to an alleged violation of section 75-1.1.

Judge Bledsoe then noted that this rule has exceptions. Citing the North Carolina Supreme Court’s 2013 decision in Bumpers v Community Bank of Northern Virginia, Judge Bledsoe observed that section 75-1.1 claims “can be, and are, based upon a wide set of facts and circumstances.”

The spectrum of claims, Judge Bledsoe pointed out, includes theories that make a defendant’s motives relevant. He offered an example to prove the point:

  • Substantial aggravating circumstances can include forged documents, lies, and fraudulent inducement.
  • A defendant’s state of mind may be relevant to whether a defendant forged a document or made a misrepresentation.

In sum, a plaintiff can choose a 75-1.1 theory that involves facts about a defendant’s motives. When a plaintiff does so, Judge Bledsoe concluded, a defendant should be allowed to introduce evidence “that tends to show the absence of those same facts.”

Against this backdrop, Judge Bledsoe observed that the theory behind Insight’s section 75-1.1 claim “is not yet concrete.” He also observed that the aspects of the claim that have survived to trial relate to Insight’s breach-of-contract claim. If Insight argues a “substantial aggravating circumstances” theory to support the section 75-1.1 claim at trial—and tries to prove up that theory with evidence of MDI’s improper motive or intent—then MDI should be able to rebut that evidence with evidence of the failed negotiations and failed asset purchase.

Because Insight’s arguments and intentions remain unclear, Judge Bledsoe deferred ruling on admissibility. His opinion, however, forecasted how he will approach evidentiary questions on the 75-1.1 claim at trial.

On the Defendant’s Trial Evidence, Begin with the End in Mind

The Insight decision provides at least two important takeaways for North Carolina business litigators.

First, as always, the theory of a section 75-1.1 claim is central to the claim’s success. Courts consider the taxonomy of 75-1.1 claims—even when litigants do not.

Second, the relevant 75-1.1 theory provides a roadmap not only to the evidence that the plaintiff will need to support the theory, but also to the evidence that might be available to the defendant to disprove the claimant’s evidence.

This means that, if you represent a defendant, discerning a plaintiff’s 75-1.1 theory is a top priority. It also means that, if you represent a plaintiff, careful thinking is warranted to identify precisely what type of evidence you might be putting into issue based on your 75-1.1 theory.

Author: Stephen Feldman

The Economic Loss Rule and Misrepresentation-Based Section 75-1.1 Claims

We’re not alone in our interest in how the economic-loss doctrine applies to alleged violations of N.C. Gen. Stat. § 75-1.1. 

In a recent case in the North Carolina Business Court involving section 75-1.1 claims, Judge Michael L. Robinson requested supplemental briefing on the economic-loss doctrine. 

Judge Robinson’s sua sponte order was followed by his application of the doctrine to the plaintiff’s claims on the defendants’ summary judgment motion. This post examines Judge Robinson’s decision and its result that dismissed several claims based on the doctrine but allowed others to proceed.

Best Laid Airplans

Carmayer, LLC v. Koury Aviation, Inc. involved the sale of a plane that did not go as planned.  If there were lemon laws for planes, this plane would be a candidate.

In October 2014, Amiel Rossabi (a lawyer) and Rocco Scarfone planned to purchase an aircraft to place into service as a charter jet through a federal program known as Part 135 that allows owners to generate profits from its use as a for-hire charter plane.  But the aircraft has to meet certain standards to qualify under Part 135.

Rossabi and Scarfone settled on a 1976 Cessna 421C twin-engine propeller aircraft.  They formed Carmayer LLC to buy the plane.

Early in their search, Rossabi and Scarfone were introduced to the defendants—a North Carolina company, its President, and its Director of Maintenance—as experts in the Part 135 process.  The defendants wore several hats in the Carmayer plan: 

  • Carmayer sought advice from the defendants on the purchase.
  • Carmayer sought advice on bringing the plane into compliance with the Part 135 program.
  • Carmayer later signed a lease with the defendants to facilitate the charter of the Cessna 421C under Part 135 as part of the defendants’ fleet.
  • Under the lease agreement, the defendants would also be responsible for monitoring the mechanical condition of the plane and advising Carmayer on the status of all scheduled maintenance, inspections, and overhaul of the plane.

But Carmayer’s plans quickly experienced turbulence.  The aircraft did not qualify under Part 135 and would require extensive maintenance to qualify.  Carmayer eventually took the plane from the defendants to get a second opinion, and learned there were 172 problems with the plane.  Today, Carmayer believes the plane may never qualify for the Part 135 program.

Carmayer then sued the defendants.  Carmayer’s complaint asserted claims for negligent misrepresentation, breach of fiduciary duty, and section 75-1.1 claims.  No contract claim was alleged.

In their answer, the defendants’ affirmative defenses included the economic-loss doctrine.  After discovery, however, they did not raise the doctrine in the briefing on their motion for summary judgment.

After a hearing on the motion, Judge Robinson issued his sua sponte order that requested additional briefing on the economic-loss issue. 

Apparently sensing which way the wind was blowing, Carmeyer asked Judge Robinson for leave to file an amended complaint to add a contract claim—after the briefing process on the economic loss doctrine had been completed but before Judge Robinson ruled.   Judge Robinson denied that request because Carmeyer had delayed in seeking leave to amend, and could have asserted the breach of contract as an alternative claim in its original pleading.

Splitting Airs

Judge Robinson began his analysis by separately evaluating each of the alleged negligent misrepresentations.  

First, Judge Robinson relied on the economic loss doctrine in dismissing claims that post-dated the parties’ lease agreement regarding the airworthiness of the plane and the potential to add it to the defendants’ fleet.  Judge Robinson found that these claims were all barred by the economic-loss doctrine.  The agreement governed the defendants’ duty to advise Carmeyer on the plane’s condition and certification status, and there was no evidence of a separate and distinct duty to maintain the plane or add it to the defendants’ fleet.

But Judge Robinson allowed two other negligent-misrepresentation claims to proceed.  Both claims involved representations made prior to the purchase of the plane and the parties signed the lease agreement. 

The first was premised on a representation that one of the defendants was an expert on chartering aircraft under Part 135. Judge Robinson cited Scarfone’s affidavit testimony that the defendants had represented that the President was an expert in the process.  Judge Robinson also cited the President’s testimony that he did not know how to get Part 135 approval. Judge Robinson dismissed other similar claims regarding the Director of Maintenance and the company itself, because those statements were made with reasonable care. 

The other claim was based on pre-agreement representations that the defendants knew what was required to make the plane Part 135-compliant. Judge Robinson cited a conflict of testimony regarding whether the plane needed to be maintained pursuant to the factory recommendations to be eligible for Part 135. The Director of Maintenance testified that such maintenance was not required, while the company that gave the second opinion on the plane testified that it was required. Judge Robinson found that there was a material issue of fact on this point, and denied summary judgment.

Judge Robinson also dismissed the fiduciary duty claims, finding there was no fiduciary duty between the parties.

Negligent Misrepresentation Equals Chapter 75

Judge Robinson then addressed the section 75-1.1 claims.  The complaint was thin on substance for these claims.  Carmeyer instead just tied the claim to the negligent misrepresentation and breach of fiduciary duty claims.

As a result, Judge Robinson did not deeply analyze the section 75-1.1 allegations.  Instead, he allowed the misrepresentation-based claims to proceed based on the two negligent misrepresentation claims that survived summary judgment.

Lessons for Litigants

The order in Carmeyer is an important read for North Carolina business litigators.

Carmeyer shows that, even after a defendant successfully shows that the economic-loss doctrine bars a claim for violation of section 75-1.1, the application of the doctrine might vary depending upon the timing and substance of the relevant conduct.

There’s another lesson in Judge Robinson’s denial of the motion to amend:  a party cannot avoid the economic-loss doctrine simply by not pleading a valid contract claim.  The Court’s denial of the motion to amend here could have been far more consequential if the Court had also dismissed the other tort claims.

Author: Jeremy Falcone