Author Archives: Alex Pearce

61 Million Reasons to Carefully Oversee Your Third-Party Marketer?

As we’ve mentioned before, federal privacy statutes that permit lawsuits and award automatic damages can be a fertile source of consumer class action litigation.

The Telephone Consumer Protection Act (TCPA) fits this bill.  Under the TCPA, telemarketers cannot call residential phone numbers on the National Do Not Call Registry. A TCPA  violation results in statutory damages of up to $500 per unlawful call. Those damages can be trebled if the defendant knowingly or willfully violated the act. 

The consequences of willful TCPA violations were on full display in Krakauer v. Dish Network, a recent case in the Middle District of North Carolina. Krakauer is notable both because it presents a rare example of a federal civil case proceeding to a jury trial, and because it resulted in a $61 million treble damages award.

Krakauer is particularly interesting because the defendant, Dish Network, did not even make the telemarketing calls at issue. Rather, those calls were made by a third party marketer that Dish Network hired to sell its satellite television programming.

The case thus turned on a key issue: when can a defendant be responsible for “knowing and willful” TCPA violations committed by a marketer acting on the defendant’s behalf?

Hello, is it Dish you’re looking for?

Krakauer concerned telemarketing calls made by Satellite Systems Network, a marketer that Dish hired to sell Dish’s satellite television programming and related services. The class action complaint alleged that Satellite made thousands of calls to individuals who registered their numbers on the Do Not Call Registry. The plaintiffs alleged that Dish should be liable for those TCPA violations. They sought statutory damages for each call, and sought to treble those damages for willful or knowing violations. 

After surviving a Spokeo-based standing challenge, and overcoming Dish’s summary judgment motion, the case proceeded to trial, where the plaintiffs presented evidence that showed that:

  • Dish’s agreement with Satellite gave Dish broad power to oversee and control Satellite’s telemarketing activities;
  • Dish received numerous complaints about Satellite’s telemarketing practices; and
  • Dish typically instructed Satellite to put complainants on Satellite’s internal do-not-call list and not to call them again, but didn’t do anything else.

The jury ruled against Dish. It found that Satellite acted as Dish’s agent in making over 51,000 calls to numbers on the Do Not Call Registry, and awarded statutory damages of $400 per call, for a total award of over $20 million.

The Court then considered whether to treble those damages. 

Can a principal be charged with “knowing and willful” conduct for TCPA violations committed by an agent?

The Court’s opinion on that issue evaluated whether the TCPA violations were “knowing or willful.” The Court first noted that existing case law didn’t specify whose conduct should be the focus of that inquiry in a case involving calls made by an agent: the agent’s or the principal’s.

The Court avoided deciding that issue, because it found that damages could be trebled whether the court focused on Satellite’s conduct and imputed it to Dish, or looked only at Dish’s own conduct. 

As to Dish’s own conduct, the court found the following factors established Dish’s willfulness:

  • Dish’s agreement with Satellite gave it “virtually unlimited rights to monitor” Satellite and “complete control” over Satellite’s telemarketing calls;
  • Dish was aware that Satellite had a history of TCPA violations, but failed to closely monitor the telemarketing it conducted on Dish’s behalf; and
  • Dish turned a “blind eye” to complaints that came to its attention, asking only that Satellite stop calling the specific person who complained.

This evidence, the Court concluded, showed that Dish’s TCPA compliance policy was “decidedly two-faced.”  “On paper,” said the Court, Dish had “committed to monitoring its marketers’ compliance with telemarketing laws and investigating complaints.”  Its failure to do so in practice, the Court concluded, showed that Dish “knew or should have known” that Satellite was violating the TCPA, but “cared about stopping complaints, not about achieving TCPA compliance.” 

The Court thus trebled the per-call damages from $400 to $1,200, leading to a total damages award of more than $61 million.

Lessons from Krakauer

Krakauer presents a conundrum for companies that seek to manage risk presented by third-party marketers. 

Given the stakes, those companies often insist on agreements that give them a high degree of control over the marketers’ activities, and extensive rights to monitor and enforce the marketers’ compliance with the TCPA. 

But Krakauer may create an incentive for companies to avoid including these terms in their agreements with vendors, lest they lead to a finding of willfulness when a marketer fails to live up to its TCPA duties. Indeed, the potential for that outcome was recently cited as a reason not to impose punitive damages on Dish in a separate TCPA enforcement action brought against the company by the Federal Trade Commission and four state attorneys general (including North Carolina’s) in the United States District Court for the Central District of Illinois. 

However a company chooses to address prospective TCPA compliance in its agreements with marketers, Krakauer makes clear that once it becomes aware of TCPA compliance issues presented by a marketer who makes calls on its behalf, the company ignores those issues at its peril. 

Author: Alex Pearce

Standing Room Only: Spokeo and the Video Privacy Protection Act

As we’ve discussed before, standing is often a key issue in data-breach litigation.  Standing is also frequently at issue in another type of privacy case: litigation arising from violations of privacy rights created by statute.   

Privacy and consumer protection laws such as the Telephone Consumer Protection Act and the Fair Credit Reporting Act, which create private rights of action and provide for statutory damages, have been a fertile source of consumer class action litigation. The injuries in these cases often consist primarily—or solely—of the violation of rights created by the statute. Defendants frequently seek to dismiss these actions on standing grounds.  They argue that mere violation of a right created by statute does not by itself constitute an injury-in-fact under Article III.

In Spokeo v. Robins the Supreme Court provided some guidance for analyzing these standing challenges. This post examines Perry v. Cable News Network, a recent decision from the Eleventh Circuit that applied Spokeo. Perry involved a class action arising from an iPhone app’s alleged sharing of users’ video-watching history with a third party data analytics company without those users’ consent. The plaintiffs alleged this sharing violated the Video Privacy Protection Act (VPPA).

Statutory Violations and Standing Under Spokeo

In Spokeo, the Supreme Court considered whether the violation of a right created by statute (in that case, the Fair Credit Reporting Act) can, without more, be enough to establish Article III standing in federal court.  

The Supreme Court held that violation of a statutory right may constitute an injury-in-fact sufficient to establish Article III standing, but only if the plaintiff suffers “concrete” harm from that violation. The Supreme Court, however, did not explain precisely how a plaintiff might establish the requisite concreteness in a given case.

The Court did suggest that harm caused by the violation of a statutory right can be concrete—even without a showing of additional harm—where it “has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American Courts.” But a “bare procedural violation,” absent more, would not be sufficient.    

Since Spokeo, defendants in class actions founded on violations of statutorily-created privacy rights have frequently sought to dismiss for lack of standing, with mixed success. 

Streaming Didn’t Kill the Video Privacy Protection Act

In Perry, the statute in question was the VPPA. Subject to certain exceptions, the VPPA prohibits a “video tape service provider” from disclosing consumers’ personally identifiable video rental and sale records. The statute was famously enacted in 1988 in response to a newspaper’s publication of an article discussing Supreme Court nominee Judge Robert H. Bork’s rental history from a Washington, DC videotape rental store.

Although adopted in the VHS era, the statute has also been held to apply to modern-day video streaming services. In that context, the VPPA has been interpreted to prohibit disclosures that tie “specific people to the videos they watch.”

Watching You Watching Me

Perry centered on CNN’s iPhone app, which was available for free download from the iTunes store. The CNN app allowed users to watch recorded CNN video clips and the network’s coverage of live events. According to the complaint, CNN tracked and recorded app users’ viewing activity, and then, without their knowledge or consent, sent the collected records to a data analytics company called Bango. Those records included unique numeric identifiers that corresponded to users’ iPhones, but not the users’ names or other identifying information. Bango would then combine the records received from CNN with data collected from other sources to build a profile of users’ online behavior.

In a single count class action complaint, plaintiff Ryan Perry alleged that CNN’s disclosure of app users’ device identifiers and viewing activity to Bango without their consent violated the VPPA. He sought an injunction, as well as statutory and punitive damages for the violation of his “statutorily-defined right to privacy.”

In a pre-Spokeo decision, the trial court granted CNN’s motion to dismiss. It found after a brief discussion that Perry had standing to sue because he alleged a violation of the VPPA. But the court determined that Perry’s complaint did not state a claim under the VPPA, both because his allegations did not establish that he was a “consumer” under the statute and because the data disclosed by CNN to Bango did not constitute “personally identifiable information.”

Is the violation of a privacy interest in video-viewing history a concrete injury?

The Supreme Court decided Spokeo shortly after the trial court’s dismissal.  On appeal, CNN relied on Spokeo to argue that Perry lacked standing.

In its brief, CNN argued that Perry could not establish injury-in-fact under Spokeo because any violation of the VPPA, standing alone, did not give rise to a “concrete” harm. CNN reasoned that the disclosure of his video-viewing history to Bango did not cause personal embarrassment or damage to his employment prospects. Nor, contended CNN, did that disclosure otherwise resemble a harm that traditionally provided a basis for a lawsuit in English or American courts. 

The Eleventh Circuit disagreed. It explained that the “right of privacy” has been widely recognized by American courts to give individuals an interest in control over their personal information. It noted that the Supreme Court had previously recognized that an individual has an interest in preventing the disclosure of personal information. And it observed that the well-established tort of intrusion upon seclusion subjected defendants to liability for “the intrusion itself,” even without publication or other use of information gleaned through the intrusion.

The court thus concluded that a disclosure of personal information in violation of the VPPA is—even without a showing of additional harm—a concrete injury that can establish Article III standing.  

Although Perry won the standing battle, he ultimately lost the war. The Eleventh Circuit concluded that under an earlier decision in which it had interpreted the VPPA, Perry could not establish that his use of CNN’s free app made him a “consumer” protected by the statute. The court thus affirmed dismissal of Perry’s VPPA claim on that ground.

Lessons from Perry

Despite its affirmance of the dismissal of Perry’s claims, Perry can be viewed as a significant win for the plaintiffs’ bar on the standing front. That’s certainly true for VPPA cases in the Eleventh Circuit.

But the decision will also provide ammunition to plaintiffs seeking to ward off standing-based challenges in cases that allege violations of other privacy statutes. Provided they can credibly show that those statutes protect privacy interests that have been recognized by courts before, Perry’s reasoning would seem to insulate such claims against dismissal for lack of standing.

Author: Alex Pearce

Trust but Verify? Liability for Engaging in Transactions with an Identity Thief

After a data breach, consumers often sue to recover for injuries they suffer, or fear they will suffer, when identity thieves use the stolen data. These suits usually target the company that suffered the data breach. 

But can a company that allows an identity thief to make purchases or apply for credit in a consumer’s name using the stolen data also be subject to suit?

The U.S. District Court for the Eastern District of North Carolina recently considered that question in Rogers v. Keffer, Inc. Chief Judge James C. Dever III’s decision in Rogers raises several interesting issues. This post discusses two of them:

  • Can overlooking inconsistencies in information supplied by an identity thief to make purchases or to obtain credit in a consumer’s name give rise to liability under N.C. Gen. Stat. § 75-1.1?
  • Does disclosing stolen data supplied by an identity thief in furtherance of a fraudulent transaction constitute a “security breach” that requires notification to the affected consumer?

Gone (and Back) in 11 Days: an Unusually Brazen Car Thief

In November 2015, an impostor claiming to be Andrew Stutfield Rogers entered a Charlotte car dealership operated by Keffer, Inc. The impostor provided Rogers’s social security number and date of birth, along with a driver’s license with the name “Andrew Leon Rogers” and a nonexistent South Carolina mailing address. Rogers had not lived in South Carolina since 1992.

Keffer took this information and made inquiries into Rogers’s credit report. Keffer then used Rogers’s information to help the impostor obtain a car loan in Rogers’s name from JPMorgan Chase Bank. The impostor applied the loan proceeds to buy a car.    

Eleven days later, the impostor returned to Keffer and repeated the scheme. With Keffer’s help, he again obtained a car loan in Rogers’s name—this time from a different lender—and bought and drove away with a second car. 

Rogers, of course, didn’t know any of this when it happened.

Instead, he first learned of a problem several weeks later, when he received an email from JPMorgan that congratulated him on his new car loan. Rogers then repeatedly called JPMorgan to explain that he had not requested or authorized the loan and that his identity had been stolen.

Even after those contacts, JPMorgan continued to report the loan to credit reporting agencies as belonging to Rogers. JPMorgan also mailed two letters to Rogers that demanded he make payments on the loan. 

Rogers sued Keffer and JPMorgan (among other defendants) in Wake County Superior Court, complaining of injuries that included harm to his credit score, loss of employment opportunities, and emotional distress.  JPMorgan removed the case to federal court.   

Rogers’s claims against Keffer and JPMorgan included a section 75-1.1 claim based on their failure to recognize and to respond appropriately to the impostor’s fraudulent scheme. He also accused Keffer of violating N.C. Gen. Stat. § 75-65, which requires companies to notify individuals of security breaches that involve their personal information. 

Keffer and JPMorgan both moved to dismiss.

Unwitting Accomplice as Section 75-1.1 Defendant?

According to Rogers, Keffer violated section 75-1.1 by failing to verify the impostor’s identity and by overlooking inconsistencies in information supplied by the impostor to complete the car loan applications.

Judge Dever, however, determined the claim could not proceed on those grounds.   

Judge Dever first observed that, under North Carolina law, “wrongful and intentional” harm to a plaintiff’s credit rating and business prospects can support a claim under section 75-1.1. But he found that Rogers’s allegations against Keffer did not satisfy that standard.

Judge Dever acknowledged that Keffer’s actions may have been negligent. But, as often happens when courts confront direct unfairness claims, he concluded without much explanation that those actions were not unfair enough to violate section 75-1.1.  Rogers, he observed, simply had not shown those actions were “immoral, unethical, oppressive, or unscrupulous,” or met other formulations of the unfairness standard under the statute.

As to JPMorgan, Rogers’s section 75-1.1 claim rested on two grounds:

  • reporting the fraudulent loan to credit reporting agencies and failing to properly investigate and to correct erroneous information in its records; and
  • sending collection letters to Rogers despite multiple notifications from Rogers that the account was procured by fraud.

Relying on a 2010 opinion from the Fourth Circuit, Judge Dever held that the claim was preempted as to the first ground by the federal Fair Credit Reporting Act, under which Rogers had asserted a separate claim.  

As to the second ground, however, Judge Dever denied JPMorgan’s motion. He found that JPMorgan’s sending of collection letters to Rogers fell outside the scope of the Fair Credit Reporting Act and that the section 75-1.1 claim was not preempted insofar as it relied on that conduct. And because JPMorgan had reason to know that the loan was fraudulent before it sent those letters, the claim could proceed on that ground. 

Is Furnishing Stolen Information a Security Breach?

Rogers also alleged that Keffer violated section 75-65 by failing to notify him of a security breach involving his social security number. Notably, section 75-65 expressly states that violation of its notification requirement is a per se violation of section 75-1.1. 

According to Rogers, Keffer’s disclosure of his social security number to credit reporting agencies and banks in the course of helping the identity thief to obtain the car loans was a “security breach” for purposes of section 75-65. Keffer failed to notify him of that breach, he argued, and therefore violated the statute.

Judge Dever dismissed the claim. In doing so, however, Judge Dever did not directly address whether Keffer’s unwitting disclosure of Rogers’s social security number to other parties in furtherance of the impostor’s scheme qualified as a “security breach” giving rise to a duty to notify Rogers.

Even assuming it did, he reasoned, Rogers could not show that Keffer’s failure to notify him proximately caused Rogers any injury. Rogers discovered the fraud before Keffer discovered it; indeed, Rogers notified Keffer about the fraud. And Rogers could not point to any expenses that he could have avoided had Keffer found the fraud first and notified him.  

Lessons from Rogers

The prospect of recovery under 75-1.1 is no doubt attractive to consumers unwinding the effects of identity theft in the wake of a data breach. Judge Dever’s decision, however, indicates that these types of claims face an uphill battle. 

According to Rogers, they must allege more than a mere failure to recognize a thief’s scheme, even when the facts suggest it should have been obvious. Once a company has actual notice that fraud has occurred, though, continuing to act as if it has not may well be enough. 

As for per se claims premised on section 75-65, Rogers leaves open the intriguing question whether its breach notification requirement applies to companies who unwittingly share stolen information after an identity thief comes to call. But if a notification obligation does apply, Rogers confirms that would-be plaintiffs must allege specifically how they were harmed by the defendant’s failure to comply.

Author: Alex Pearce