Technology, Privacy, And Data Security

Three Lessons from the Federal Trade Commission’s LabMD decision

 
Everett Monroe
August 10, 2016

The Federal Trade Commission (FTC) has made good data security practices a focus of its mission in recent years. It has issued guidance, held workshops, and brought enforcement actions against businesses that fail to implement common sense measures to protect their data. The Third Circuit’s opinion in Wyndham v. FTC acknowledged the Commission’s authority to hold companies accountable for claiming to have better data security then they do. Now, the Federal Trade Commission’s opinion and order In the Matter of LabMD, Inc. makes clear that good security practices are a must, regardless of claims a business makes to consumers.

The unanimous opinion by the Commission includes a long list of LabMD’s data security failures, but it focuses on employees’ administrative access to the computers. This access allowed an employee to install peer to peer file sharing software, and configured it so that it made patients’ sensitive medical data available outside the company. A security firm found the vulnerability, acquired some of the sensitive data, and then informed LabMD of the vulnerability in conjunction with an offer to provide security services. Here are three lessons that all businesses can glean from the FTC opinion.
Continue reading Three Lessons from the Federal Trade Commission’s LabMD decision

California Practice Tips

Baral v. Schnitt: The Roadmap For Anti-SLAPP Motions Has Dramatically Changed

 
Neil Bardack
August 9, 2016

The California Supreme Court in Baral v. Schnitt, No. S225090 (filed 8/1/2016),  has clarified a “perplexing” conflict among several Districts of the Court of Appeal about the application of  Code of Civ. Proc. Section 425.16(b)(1) (the Anti-SLAPP statute) when applied to strike allegations in a mixed cause of action,  where it combines allegations of activity protected by the statute with allegations of unprotected activity.

Protected activity arises out of the defendant’s exercise of the constitutional rights of free speech or petition.  When pleadings assert a cause of action that implicates both those activities and unprotected activities, there was a disagreement in the appellate districts and even divisions as to whether the statute supported applying the Anti-SLAPP motion to the whole cause of action, which often resulted in the denial of the motion.  In essence, by artful pleading of intertwined allegations, a plaintiff could avoid dismissal of the cause of action and potential exposure to attorney’s fees in those courts that held that the motion lay only to strike an entire count as pleaded in the complaint, even where  protected activity was alleged.  This result thwarted the purpose of the statute. which is to shield a defendant’s constitutionally protected conduct from the undue burden of frivolous litigation.

In Baral, the plaintiff pleaded in a single cause of action that Schnitt committed both libel and slander by knowingly providing false information about Baral’s possible misappropriation of company assets to an outside accounting firm hired to investigate the company owned by them; this was protected activity.  However, the plaintiff linked this assertion with allegations that, once discovered as false,  Schnitt refused to correct.  The false information was ultimately published, which was not protected activity and would not be reachable by Schnitt’s  Anti-SLAPP motion.  The trial court’s denial of the motion was upheld by the Court of Appeal, which found that the Anti-SLAPP statute applied only to entire causes of action as pleaded, or to the complaint as a whole, not to isolated allegations with causes of action.

The Supreme Court determined that this result unduly limited the relief contemplated by the Legislature in enacting the Anti-SLAPP statute.  It approached the resolution by starting with the definition of a “cause of action” as intended to be subject to the motion to strike.  The high court held that the Legislature intended to require a plaintiff to show a probability of prevailing on “the claim” arising from protected activity, and this result should not depend on the form of the pleading.  The purpose of the statute is to protect activity, and courts may rule on the plaintiff’s specific claim of protected activity.

To assist the litigants, the Supreme Court provided the following roadmap of the showings and findings required by under section 425.16(b):

At the first step, the moving defendant bears the burden of identifying all allegations of protected activity, and the claims for relief supported by them.  When relief is sought based on allegations of both protected and unprotected activity, the unprotected activity is disregarded at this stage. If the court determines that relief is sought based on allegations arising from activity protected by the statute, the second step is reached. There the burden shifts to the plaintiff to demonstrate that each challenged claim based on protected activity is legally sufficient and factually substantiated.  The court, without resolving evidentiary conflicts must determine whether the plaintiff’s showing, if accepted by the trier of fact, would be sufficient to sustain a favorable judgment. If not, the claim is stricken.  Allegations of protected activity supporting the stricken claim are eliminated from the complaint, unless they also support a distinct claim on which the plaintiff has shown a probability of prevailing.

Although there was much confusion in applying the Anti-SLAPP motion to allegations which were purposefully jumbled to avoid this special motion to strike, is the solution now cleared of the mud?

Environmental Law

Ninth Circuit Rules No Arranger Liability for Smelter’s Air Pollutants under CERCLA

 
Michael Van Zandt

The Ninth Circuit reversed a district court’s denial of a motion to dismiss claims brought against a smelting operation alleging that air pollutants from the operation that were blown downwind and deposited on land and water made the smelting operation an “arranger for disposal” under the Comprehensive Environmental Response, Compensation and Liability Act (“CERCLA”). The case is Pakootas v. Teck Cominco Metals, Ltd.

Read more here.

Technology, Privacy, And Data Security

When does ‘Delete’ Really Mean Delete?

 
William Kellermann
July 27, 2016

In the words of the late, great Browning Marean[i]:  “The “Delete” key is the greatest lie on the keyboard.”  Unfortunately, this maxim was lost on a UK drug trafficker convicted, in part, on emails he thought were deleted from his Yahoo! email account.  In a motion for discovery filed in the federal district court for the Northern District of California, defense lawyers contend Yahoo! produced six months of deleted email, recovered even though Yahoo!’s own policies indicated otherwise.  Russell Knaggs v. Yahoo! Inc., U.S.D.C. ND-Cal., Case #15-MC-80281-MEJ

In the motion, the criminal defendant speculates the email was collected in violation of UK privacy laws, either through real-time interception or some nefarious NSA surveillance program, such as those exposed by Edward Snowden.  As such, the evidence was unlawfully collected and should be suppressed.

Unfortunately for the drug dealer, the source of the mail is likely much more mundane.  Unfortunately for Yahoo!, its explanation was tortured enough that the court ordered limited discovery, and a person-most-knowledgeable deposition.  The focus of the ordered discovery is a determination of the method Yahoo! used to gather the email data to provide to the government.

For anyone who has performed an in-depth analysis of enterprise email systems, to borrow from the words of Dean Wormer in “Animal House,” there is “deleted, double deleted and double-secret deletion.”  To remind the uninitiated, and using Microsoft Exchange and Outlook as a model, the typical deletion process for email goes something like this:

  1. Delete the message in the email reader software (in the Microsoft world, that would be Outlook.)  This step simply moves the message from the “Inbox,” or other folder in which it is held, to the “Deleted Items” folder.
  2. Delete the message from the “Deleted Items” folder.

Viola! The message is gone!  Or is it?  For most people that would be true.  However technologists, IT staff, email administrators, and electronic discovery practitioners know there is more.  Again, in the Microsoft Exchange environment, a copy of the message is retained in the email server “Deleted Items” cache (a/k/a the “Dumpster”) for a period of time.  This allows an administrator to recover mail inadvertently “double-deleted” by a user.  Many other email systems maintain a similar server-side cache of deleted messages for the same reason.  Until the parameters of the cache system are met, the message is recoverable by an administrator.

In the case of Microsoft Exchange, retention is date-driven.  However, other systems may be size-driven – that is content is not deleted from the server cache file until and unless it reaches a certain size.  At that time, older messages are overwritten to make room for newer messages in an updated version of the cache.  Until that time, the messages persist.

Further, most software used to recover, extract, and export messages typically capture, or provide options to capture, every message related to the user account, whether active, deleted, double deleted, archived or retained in the Dumpster.

Of course, further complicating matters, our drug dealer was using the Yahoo! mailbox as a form of message drop where communications were made using drafts of messages never sent.  One dealer would login to the account and create a draft of a message.  The intended recipient would then login to the same account, read the draft and respond, by either overwriting the prior draft or deleting the draft and creating a new draft.  However, as with any good messaging system seeking to save users from themselves, drafts are “auto-saved” periodically.

Yahoo!’s prior responses and the court’s order gets bogged down in a discussion of when and how auto-save works which, while important, ignores the heart of the matter.   Yahoo! never clearly explains how auto-saved drafts might be retained in either “Draft” or “Archive” folders until deleted, double deleted and purged from the server cache or “Dumpster.”

While the outcome of the purported fishing expedition into Yahoo!’s email practices may never be published due to protective orders, it is more likely than not the source of the offending messages will be the digital analog of a time honored, traditional law enforcement investigative method:  Dumpster diving.

[i] Browning Marean, an attorney with DLA Piper, was known to many in the electronic discovery world as the “Godfather of eDiscovery.”  A prolific speaker, writer and general litigation raconteur, he described the litigation electronic discovery process in ways no one else could, then or since.

Environmental Law

California Supreme Court Upholds Pre-condemnation Entry and Testing Law with Addition of Jury Option

 
Samir Abdelnour

On July 21, 2016, the California Supreme Court validated California’s pre-condemnation entry and testing statutes (Code of Civil Procedure sections 1245.010-1245.060), but determined that the law must be judicially reformed to be consistent with constitutional requirements for eminent domain proceedings by allowing affected landowners to have a jury determine the measure of damages to which they are entitled. In Property Reserve, Inc. v. Superior Court, the State Department of Water Resources (“DWR”) sought a court order to enter more than 150 privately owned properties as part of DWR’s effort to investigate the feasibility of building a new tunnel or canal in the Sacramento-San Joaquin Delta for delivering water from Northern California to Central and Southern California.

Read More Here.

Class And Tort Actions

McDonald’s On The Hook For Class Certification Of Wage And Hour Claims Under Ostensible Agency Theory

 
Emily Leahy
July 18, 2016

Despite finding that as a matter of law McDonald’s was not directly liable as a joint employer, a California federal judge granted class certification to McDonald’s workers, saying the claims against McDonald’s Corp. can proceed on a classwide basis under a theory of ostensible agency.  Under this theory, McDonald’s could be liable because employees reasonably believed they were employed by McDonald’s.

The Facts

The workers filed the class action in 2014, alleging a variety of wage and hour violations by defendant the Edward J. Smith and Valerie S. Smith Family Limited Partnership (“Smith”), which owns and operates five restaurants in California under a franchise agreement with McDonald’s. Plaintiffs also sued McDonald’s on direct and vicarious liability grounds.

McDonald’s moved for summary judgment on the grounds that it was not a joint employer. The Court granted summary judgment on plaintiffs’ direct liability theories, finding that McDonald’s is not directly liable as a joint employer with the Smiths, but denied it on the issue of whether McDonald’s may be liable on an ostensible agency basis. Ostensible agency exists where (1) the person dealing with the agent does so with reasonable belief in the agent’s authority; (2) that belief is “generated by some act or neglect of the principal sought to be charged,” and (3) the relying party is not negligent. Kaplan v. Coldwell Banker Residential Affiliates, Inc., 59 Cal. App. 4th 741, 747 (1997).

Plaintiffs then settled with the Smiths, leaving the McDonald’s entities as the last standing defendants.

Plaintiffs moved for certification of a class to pursue claims for: (1) miscalculated wages; (2) overtime; (3) meals and rest breaks; (4) maintenance of uniforms; (5) wage statements; and (6) related derivative claims.

Ostensible Agency Not A Bar To Class Certification

McDonald’s argued that allegations of ostensible agency are incapable of being resolved on a classwide basis because they involve individualized questions of personal belief and reasonable reliance on an agency relationship.

The court disagreed, holding that ostensible agency does not demand unique or alternative treatment, and “certainly does not stand entirely outside Rule 23 as impossible to adjudicate on a classwide basis.”

Continue reading McDonald’s On The Hook For Class Certification Of Wage And Hour Claims Under Ostensible Agency Theory

Technology, Privacy, And Data Security

U.S.-EU Privacy Shield receives final approval, scheduled to go live on August 1.

 
Everett Monroe
July 15, 2016

The European Commission has approved the EU – U.S. Privacy Shield to replace the Safe Harbor program invalidated by the European Court of Justice last year in Schrems v. Data Protection Commissioner. The Privacy Shield governs the transfer of personal information from the European Union to businesses in the United States. Indeed, it is apparent from the formal approval documents that the European Commission and the U.S. Department of Commerce made great efforts to address the procedural and substantive deficiencies identified in Schrems as well as criticisms raised by the EU’s data protection commissioners.

Key new requirements of the Privacy Shield for businesses include:

  • disclosing more information in their privacy policies,
  • introducing additional recourse mechanisms for data subjects for Privacy Shield violations, and
  • limiting data retention based on the original purposes for data collection.

These new requirements may prove challenging for many businesses. The Safe Harbor framework required assurances that the transferee provided an equivalent level of protection to the Safe Harbor. Whereas, the Privacy Shield requires data holders obtain privacy protective contracts from their business partners, even if the contractor participates in the Privacy Shield or uses other compliance mechanisms. Companies that commit to the Privacy Shield in the first two months of implementation will be given a nine-month grace period to bring existing data sharing arrangements with their vendors and partners into compliance.

The Privacy Shield increases EU regulatory oversight, including the imposition of an annual joint review of the program and a formal exit procedure in the event the Commission finds the program deficient. The joint review will involve reporting—albeit limited—on U.S. intelligence activities intended to address the European Court of Justice’s concerns that the Safe Harbor decision did not include an analysis of the civil liberties protections from surveillance authorities. The results of the first review will be critical to the viability of the Privacy Shield and the confidence of businesses to avail themselves of it, as both the Article 29 Working Party and the European Data Protection Supervisor will scrutinize the application and enforcement of the Privacy Shield closely.

The Privacy Shield kept the benefits of the Safe Harbor’s light administrative procedures and self-certification framework that provides an easier way to receive EU data subject information than other mechanisms like model contract clauses or binding corporate rules. But businesses seeking to avail themselves of this option should be aware of the more stringent requirements, as well as the increased pressure on Federal agencies to show to EU authorities that the framework will substantively protect the privacy of EU data subjects, especially in the first year.

California Practice Tips

When Drafting An Arbitration Clause, Check Case Law First

 
Neil Bardack
June 16, 2016

In the recent decision of the California Court of Appeal in Rice v. Downs, Second Appellate District, Div. One, B261860 (Filed 6/1/16), the Court held the drafters of an arbitration clause (the parties and their lawyers alike) were experienced and would not have chosen language that they would have expected to be interpreted differently than the judicial interpretations in then-existing California and Ninth Circuit case law where their chosen language was reviewed. That is, the drafting parties were presumed to know the law.

This decision provides a good review of how arbitration language is typically used and litigated. What is important is that most drafters borrow language from other contracts without much thought of what a court would do when a dispute arises over the scope and meaning or what claims are included or not. Having been presumed to know the law, it is important for drafters to read it.

In Rice, the Court parsed through a number of litigated arbitration clause permutations to decide whether certain claims for malpractice, breach of fiduciary duty, and rescission claims that plaintiff Rice brought against his attorney Downs arose out of limited liability operating agreements drafted by the defendant attorney and were properly arbitrated with other disputes between the parties. These claims were not found to have arisen from the agreement under the following language: “any controversy between the parties arising out of this agreement” as they were not contractual claims (and even tort claims) that arose from the agreement itself. In so holding, the appellate court reversed the trial court’s decision ordering Rice’s claims for malpractice to arbitration.

The Court affirmed that arbitration clauses are to be interpreted like any other contract to give effect to the parties’ intentions in light of the usual and ordinary meaning of the contractual language and circumstances under which the contract was made. The focus on whether a particular dispute is intended by the parties to be arbitrated turns on whether the clause is broad (“any claim arising from or related to this agreement or arising in connection with the agreement’). In that case, even tort claims that have their roots in the relationship of the parties to the contract could be ordered to arbitration, as the factual allegations need only “touch matters covered by the contract between the parties.”

Having said this, the Court found that any determination of whether the parties intended to arbitrate a specific dispute had to be resolved by determining whether the claims are controversies “arising out of” the agreements, that is, whether the disputes “have their roots in the relationship between the parties which was created by the contract in dispute that has the arbitration clause.”

Upon holding that the drafters were experienced and presumed to know the law, the Court held the parties to examine how courts had interpreted the scope of the language being used to determine if a particular claim arose out of or from the agreement.

Environmental Law

California Prop. 65 Warning Regulation Revisions Moving Closer to Final

 
Shannon Nessier
May 19, 2016

In the ongoing process of finalizing updated warning language for California’s Prop. 65 (Safe Drinking Water and Toxic Enforcement Act of 1986), the Office of Environmental Health Hazard Assessment (“OEHHA”) has issued a notice of further revisions to the third proposed version of the statutory language.

This regulation was originally the subject of a Notice of Proposed Rulemaking on November 27, 2015, which repealed a January 16, 2015, Notice, and provided fairly significant changes from the January 2015 issuance.   After accepting written comments and holding a public hearing, on March 25, 2016, OEHHA published a Notice of Modification of the proposed regulation.  OEHHA then accepted a second round of written comments, and this notice responds to those comments and provides further revisions.

OEHHA’s focus on refining the regulatory language since the first issuance in January 2015, allowing stakeholders repeated opportunities to comment, and making steady progress on revision efforts suggests it intends to finalize the proposed regulation by the one year deadline, which runs on November 27, 2016.  Once enacted, stakeholders will have two years to implement any new requirements.

The changes to the proposed regulation continue to refine the language and mode of traditional per se reasonable Prop. 65 warnings, add categories of people obligated to provide warnings, and clarify issues related to stream of commerce relationships and indemnity under Prop. 65.  The redlined text of the recent revisions can be found here.

A California Litigation Blog