California Passes Law Requiring Data Breach Notification for Stolen Encryption Keys

Everett Monroe 
Everett Monroe
September 14, 2016

Governor Brown signed into law AB 2828, which will update California’s breach notification statute.  The law addresses encrypted Personally Identifiable Information that has been breached in the event that the encryption keys are also compromised. The law will go into effect January 1st.

AB 2828 seeks to close a loophole in California’s current data breach notification law, Civil Code Section 1798.82, under which a business must notify affected persons of a data breach where unencrypted personal information is lost. Presently, Section 1798.82 does not expressly require notification where the lost data was encrypted and the encryption key was also lost or improperly disclosed. That data would be at as much risk as unencrypted information, but there is no requirement to notify affected individuals. But requiring companies to report all data breaches where encrypted information was lost but the key remains secure may result in notifications to individuals who are not in serious risk of identity theft, fraud, or loss of privacy.

Continue reading California Passes Law Requiring Data Breach Notification for Stolen Encryption Keys

In Bristol-Myers, CA Supremes Find Contacts Insufficient For General Jurisdiction, But Expand the Scope of Specific Jurisdiction

Merton Howard 
Merton Howard
August 30, 2016

Non-resident companies across the United States have been anxiously awaiting the California Supreme Court’s decision in Bristol-Myers Squibb Company v. Superior Court (San Francisco) regarding the reach of the state’s personal jurisdiction statute.  In an opinion authored by Chief Justice Cantil-Sakauye, a 4-3 majority held that Bristol-Myers Squibb (BMS) is subject to jurisdiction in California on suits by non-resident plaintiffs injured outside the state, but limited its holding to claims based on specific jurisdiction only.

The underlying actions, some 592 consolidated claims by non-resident plaintiffs, had been challenged by BMS via a Motion to Quash for lack of personal jurisdiction.  BMS argued that the company is incorporated in Delaware, headquartered in New York City, and maintains substantial operations in New Jersey.  Furthermore, BMS claimed that none of the at-issue complaints contained any claims that the non-resident plaintiffs‘ injuries occurred in California or that they had been treated for their injuries here.  As such, it believed neither specific nor general personal jurisdiction could be exercised over it for claims by non-resident plaintiffs.

After some procedural back and forth on the applicability of general jurisdiction in light of the United States Supreme Court’s decision in Daimler AG v. Bauman (2014) 571 U.S. ___ [134 S.Ct. 746] (Daimler), the Court of Appeal for California heard the BMS cases on transfer, and held that it was specific personal jurisdiction, and not general, which California had the right to exercise over BMS.  It was this decision that the State Supreme Court yesterday affirmed.

Continue reading In Bristol-Myers, CA Supremes Find Contacts Insufficient For General Jurisdiction, But Expand the Scope of Specific Jurisdiction

To Qualify For ERISA’s ‘Church Plan’ Exemption, 9th Circuit Rules The Pension Plan Must Be Established By A Church, Not A Hospital

Eric Junginger 
Eric Junginger
August 17, 2016

While it seems straightforward that a church must establish and maintain a pension plan in order to qualify for the “church-plan” exemption to the Employee Retirement Income Security Act of 1974 (“ERISA”), it has taken three federal District Court decisions in the United States to convey this message to many hospitals.  On July 26, 2016, the Ninth Circuit Court of Appeal in Rollins v. Dignity Health (7-26-2016) (16 C.D.O.S. 7916) became the latest district to join the Third Circuit [Kaplan v. Saint Peter’s Healthcare Sys., 810 F.3d 175, 180-81 (2015)] and the Seventh Circuit [Stapleton v. Advocate Health Care Network, 817 F.3d 517, 523-27 (2016)] in rendering this interpretation in regard to hospital pension plans.

In Rollins, an employee of San Bernardino Community Hospital, which became affiliated with Catholic Healthcare West (“CHW”) and whose name was later changed to “Dignity Health”, was advised that CHW considered her pension plan to be a church plan exempt from ERISA.  This determination was based on two factors: (1) CHW was initially formed by the merger of two nonprofit hospital systems established by two church congregations, and the CHW pension plan was combined with five other individual hospital plans or church plans into the employee’s existing pension plan; and (2) a 1983 General Counsel Memorandum from the I.R.S. which opined that a pension plan may qualify as a church plan if it is maintained by the Catholic Church, regardless of what entity established the plan.  See I.R.S. Gen. Couns. Mem. 39,007 (July 1, 1983).

The Ninth Circuit expressly disagreed with the I.R.S. opinion letter and Dignity Health’s position that it had a “church plan” because both ignored the express language in the ERISA statute and its Legislative History.  First, ERISA states that “church plans”, which are established and maintained by a church or association of churches, are exempt from the applicable requirements of ERISA.  Both elements are required to qualify for the exemption.  See 29 U.S.C. at §§ 1002(33) and 1003(b)(2).  Second, the Legislative History makes clear that when these laws were originally enacted in 1974, these same two requirements existed.  The subsequent amendments in 1980 did not eliminate the requirement that a church plan be established by a church; rather, they expanded the definition of employees eligible to participate in a church plan and expanded the entities that could maintain such plans (e.g., church-controlled or church-affiliated pension boards instead of just the church itself).

Why does losing the church plan ERISA exemption matter to Dignity Health and other hospitals around the country (e.g., Saint Peter’s Healthcare System; Advocate Health Care Network)?  For years, these hospitals have not complied with the funding requirements of ERISA and hundreds of thousands of hospital employees are facing a shortfall of billions of dollars in their pensions.  Because these hospitals are facing significant financial liability, they have petitioned the U.S. Supreme Court to weigh in on the requirement that a church must establish a pension plan in order to qualify for the church plan ERISA exemption.

Three Lessons from the Federal Trade Commission’s LabMD decision

Everett Monroe 
Everett Monroe
August 10, 2016

The Federal Trade Commission (FTC) has made good data security practices a focus of its mission in recent years. It has issued guidance, held workshops, and brought enforcement actions against businesses that fail to implement common sense measures to protect their data. The Third Circuit’s opinion in Wyndham v. FTC acknowledged the Commission’s authority to hold companies accountable for claiming to have better data security then they do. Now, the Federal Trade Commission’s opinion and order In the Matter of LabMD, Inc. makes clear that good security practices are a must, regardless of claims a business makes to consumers.

The unanimous opinion by the Commission includes a long list of LabMD’s data security failures, but it focuses on employees’ administrative access to the computers. This access allowed an employee to install peer to peer file sharing software, and configured it so that it made patients’ sensitive medical data available outside the company. A security firm found the vulnerability, acquired some of the sensitive data, and then informed LabMD of the vulnerability in conjunction with an offer to provide security services. Here are three lessons that all businesses can glean from the FTC opinion.
Continue reading Three Lessons from the Federal Trade Commission’s LabMD decision

Baral v. Schnitt: The Roadmap For Anti-SLAPP Motions Has Dramatically Changed

Neil Bardack 
Neil Bardack
August 9, 2016

The California Supreme Court in Baral v. Schnitt, No. S225090 (filed 8/1/2016),  has clarified a “perplexing” conflict among several Districts of the Court of Appeal about the application of  Code of Civ. Proc. Section 425.16(b)(1) (the Anti-SLAPP statute) when applied to strike allegations in a mixed cause of action,  where it combines allegations of activity protected by the statute with allegations of unprotected activity.

Protected activity arises out of the defendant’s exercise of the constitutional rights of free speech or petition.  When pleadings assert a cause of action that implicates both those activities and unprotected activities, there was a disagreement in the appellate districts and even divisions as to whether the statute supported applying the Anti-SLAPP motion to the whole cause of action, which often resulted in the denial of the motion.  In essence, by artful pleading of intertwined allegations, a plaintiff could avoid dismissal of the cause of action and potential exposure to attorney’s fees in those courts that held that the motion lay only to strike an entire count as pleaded in the complaint, even where  protected activity was alleged.  This result thwarted the purpose of the statute. which is to shield a defendant’s constitutionally protected conduct from the undue burden of frivolous litigation.

In Baral, the plaintiff pleaded in a single cause of action that Schnitt committed both libel and slander by knowingly providing false information about Baral’s possible misappropriation of company assets to an outside accounting firm hired to investigate the company owned by them; this was protected activity.  However, the plaintiff linked this assertion with allegations that, once discovered as false,  Schnitt refused to correct.  The false information was ultimately published, which was not protected activity and would not be reachable by Schnitt’s  Anti-SLAPP motion.  The trial court’s denial of the motion was upheld by the Court of Appeal, which found that the Anti-SLAPP statute applied only to entire causes of action as pleaded, or to the complaint as a whole, not to isolated allegations with causes of action.

The Supreme Court determined that this result unduly limited the relief contemplated by the Legislature in enacting the Anti-SLAPP statute.  It approached the resolution by starting with the definition of a “cause of action” as intended to be subject to the motion to strike.  The high court held that the Legislature intended to require a plaintiff to show a probability of prevailing on “the claim” arising from protected activity, and this result should not depend on the form of the pleading.  The purpose of the statute is to protect activity, and courts may rule on the plaintiff’s specific claim of protected activity.

To assist the litigants, the Supreme Court provided the following roadmap of the showings and findings required by under section 425.16(b):

At the first step, the moving defendant bears the burden of identifying all allegations of protected activity, and the claims for relief supported by them.  When relief is sought based on allegations of both protected and unprotected activity, the unprotected activity is disregarded at this stage. If the court determines that relief is sought based on allegations arising from activity protected by the statute, the second step is reached. There the burden shifts to the plaintiff to demonstrate that each challenged claim based on protected activity is legally sufficient and factually substantiated.  The court, without resolving evidentiary conflicts must determine whether the plaintiff’s showing, if accepted by the trier of fact, would be sufficient to sustain a favorable judgment. If not, the claim is stricken.  Allegations of protected activity supporting the stricken claim are eliminated from the complaint, unless they also support a distinct claim on which the plaintiff has shown a probability of prevailing.

Although there was much confusion in applying the Anti-SLAPP motion to allegations which were purposefully jumbled to avoid this special motion to strike, is the solution now cleared of the mud?

Ninth Circuit Rules No Arranger Liability for Smelter’s Air Pollutants under CERCLA

Michael Van Zandt 
Michael Van Zandt

The Ninth Circuit reversed a district court’s denial of a motion to dismiss claims brought against a smelting operation alleging that air pollutants from the operation that were blown downwind and deposited on land and water made the smelting operation an “arranger for disposal” under the Comprehensive Environmental Response, Compensation and Liability Act (“CERCLA”). The case is Pakootas v. Teck Cominco Metals, Ltd.

Read more here.

When does ‘Delete’ Really Mean Delete?

William Kellermann 
William Kellermann
July 27, 2016

In the words of the late, great Browning Marean[i]:  “The “Delete” key is the greatest lie on the keyboard.”  Unfortunately, this maxim was lost on a UK drug trafficker convicted, in part, on emails he thought were deleted from his Yahoo! email account.  In a motion for discovery filed in the federal district court for the Northern District of California, defense lawyers contend Yahoo! produced six months of deleted email, recovered even though Yahoo!’s own policies indicated otherwise.  Russell Knaggs v. Yahoo! Inc., U.S.D.C. ND-Cal., Case #15-MC-80281-MEJ

In the motion, the criminal defendant speculates the email was collected in violation of UK privacy laws, either through real-time interception or some nefarious NSA surveillance program, such as those exposed by Edward Snowden.  As such, the evidence was unlawfully collected and should be suppressed.

Unfortunately for the drug dealer, the source of the mail is likely much more mundane.  Unfortunately for Yahoo!, its explanation was tortured enough that the court ordered limited discovery, and a person-most-knowledgeable deposition.  The focus of the ordered discovery is a determination of the method Yahoo! used to gather the email data to provide to the government.

For anyone who has performed an in-depth analysis of enterprise email systems, to borrow from the words of Dean Wormer in “Animal House,” there is “deleted, double deleted and double-secret deletion.”  To remind the uninitiated, and using Microsoft Exchange and Outlook as a model, the typical deletion process for email goes something like this:

  1. Delete the message in the email reader software (in the Microsoft world, that would be Outlook.)  This step simply moves the message from the “Inbox,” or other folder in which it is held, to the “Deleted Items” folder.
  2. Delete the message from the “Deleted Items” folder.

Viola! The message is gone!  Or is it?  For most people that would be true.  However technologists, IT staff, email administrators, and electronic discovery practitioners know there is more.  Again, in the Microsoft Exchange environment, a copy of the message is retained in the email server “Deleted Items” cache (a/k/a the “Dumpster”) for a period of time.  This allows an administrator to recover mail inadvertently “double-deleted” by a user.  Many other email systems maintain a similar server-side cache of deleted messages for the same reason.  Until the parameters of the cache system are met, the message is recoverable by an administrator.

In the case of Microsoft Exchange, retention is date-driven.  However, other systems may be size-driven – that is content is not deleted from the server cache file until and unless it reaches a certain size.  At that time, older messages are overwritten to make room for newer messages in an updated version of the cache.  Until that time, the messages persist.

Further, most software used to recover, extract, and export messages typically capture, or provide options to capture, every message related to the user account, whether active, deleted, double deleted, archived or retained in the Dumpster.

Of course, further complicating matters, our drug dealer was using the Yahoo! mailbox as a form of message drop where communications were made using drafts of messages never sent.  One dealer would login to the account and create a draft of a message.  The intended recipient would then login to the same account, read the draft and respond, by either overwriting the prior draft or deleting the draft and creating a new draft.  However, as with any good messaging system seeking to save users from themselves, drafts are “auto-saved” periodically.

Yahoo!’s prior responses and the court’s order gets bogged down in a discussion of when and how auto-save works which, while important, ignores the heart of the matter.   Yahoo! never clearly explains how auto-saved drafts might be retained in either “Draft” or “Archive” folders until deleted, double deleted and purged from the server cache or “Dumpster.”

While the outcome of the purported fishing expedition into Yahoo!’s email practices may never be published due to protective orders, it is more likely than not the source of the offending messages will be the digital analog of a time honored, traditional law enforcement investigative method:  Dumpster diving.

[i] Browning Marean, an attorney with DLA Piper, was known to many in the electronic discovery world as the “Godfather of eDiscovery.”  A prolific speaker, writer and general litigation raconteur, he described the litigation electronic discovery process in ways no one else could, then or since.

California Supreme Court Upholds Pre-condemnation Entry and Testing Law with Addition of Jury Option

Samir Abdelnour 
Samir Abdelnour

On July 21, 2016, the California Supreme Court validated California’s pre-condemnation entry and testing statutes (Code of Civil Procedure sections 1245.010-1245.060), but determined that the law must be judicially reformed to be consistent with constitutional requirements for eminent domain proceedings by allowing affected landowners to have a jury determine the measure of damages to which they are entitled. In Property Reserve, Inc. v. Superior Court, the State Department of Water Resources (“DWR”) sought a court order to enter more than 150 privately owned properties as part of DWR’s effort to investigate the feasibility of building a new tunnel or canal in the Sacramento-San Joaquin Delta for delivering water from Northern California to Central and Southern California.

Read More Here.

McDonald’s On The Hook For Class Certification Of Wage And Hour Claims Under Ostensible Agency Theory

Emily Leahy 
Emily Leahy
July 18, 2016

Despite finding that as a matter of law McDonald’s was not directly liable as a joint employer, a California federal judge granted class certification to McDonald’s workers, saying the claims against McDonald’s Corp. can proceed on a classwide basis under a theory of ostensible agency.  Under this theory, McDonald’s could be liable because employees reasonably believed they were employed by McDonald’s.

The Facts

The workers filed the class action in 2014, alleging a variety of wage and hour violations by defendant the Edward J. Smith and Valerie S. Smith Family Limited Partnership (“Smith”), which owns and operates five restaurants in California under a franchise agreement with McDonald’s. Plaintiffs also sued McDonald’s on direct and vicarious liability grounds.

McDonald’s moved for summary judgment on the grounds that it was not a joint employer. The Court granted summary judgment on plaintiffs’ direct liability theories, finding that McDonald’s is not directly liable as a joint employer with the Smiths, but denied it on the issue of whether McDonald’s may be liable on an ostensible agency basis. Ostensible agency exists where (1) the person dealing with the agent does so with reasonable belief in the agent’s authority; (2) that belief is “generated by some act or neglect of the principal sought to be charged,” and (3) the relying party is not negligent. Kaplan v. Coldwell Banker Residential Affiliates, Inc., 59 Cal. App. 4th 741, 747 (1997).

Plaintiffs then settled with the Smiths, leaving the McDonald’s entities as the last standing defendants.

Plaintiffs moved for certification of a class to pursue claims for: (1) miscalculated wages; (2) overtime; (3) meals and rest breaks; (4) maintenance of uniforms; (5) wage statements; and (6) related derivative claims.

Ostensible Agency Not A Bar To Class Certification

McDonald’s argued that allegations of ostensible agency are incapable of being resolved on a classwide basis because they involve individualized questions of personal belief and reasonable reliance on an agency relationship.

The court disagreed, holding that ostensible agency does not demand unique or alternative treatment, and “certainly does not stand entirely outside Rule 23 as impossible to adjudicate on a classwide basis.”

Continue reading McDonald’s On The Hook For Class Certification Of Wage And Hour Claims Under Ostensible Agency Theory

A California Litigation Blog