Info Law, Policy, & Privacy

Prof. Robinson
Fall 2023

WEEK #9 ONLINE CLASS READING GUIDE & QUIZ

Instructions:
 This guide is designed to assist your understanding of the reading assignment.
 Fill in the reading guide as you are reading the material.
 Complete as much of the reading guide as possible before watching the recorded
lectures. The recorded lectures are based on the reading guide and designed to
help you answer any questions you may have struggled with while reading on
your own.
 Timely submission of the reading guide satisfies your attendance requirement for
the week.
 Reading Guide is due by:
 Sunday October 29, 2023 before 5:00 p.m.
 Week #9 Reading Guide—FCRA and Civil Suits for Data
Breaches (pp. 381-83, 389-404, 421-37, 449-55)
1. FCRA
2. In re Spokeo
3. Bakkar v. McKinnon
4. Paul v. Providence Health Sys
5. Resnick v. Avmed
6. Lone Star Nat'l Bank v. Heartland Payment Sys.

Notes from Prof. Robinson's Recap (optional):



In re Spokeo--FTC Complaint 2012

Fair Credit Reporting Act
 Where does the FTC draw its authority in this case?
 From Fair Credit Reporting Act.
Section 621 of the FCRA (15 U.S.C. § 1681s) authorizes the Commission to enforce compliance
with the FRCA:
(1) The Federal Trade Commission shall be authorized to enforce compliance with the
requirements imposed by this subchapter under the Federal Trade Commission Act (15 U.S.C. 41
et seq.), with respect to consumer reporting agencies and all other persons subject thereto,
except to the extent that enforcement of the requirements imposed under this subchapter is
specifically committed to some other Government agency under any of subparagraphs
(A) through (G) of subsection (b)(1), and subject to subtitle B of the Consumer Financial
Protection Act of 2010 [12 U.S.C. 5511 et seq.], subsection (b),

 Why is the FTC and not the CFPB bringing this action?
 Because Traditionally CFPB brings actions when companies are buying or selling restrictive
data and not cases about processing and use of data.
 What is Spokeo's business model—how does it make money?
 It takes consumers information from multiple sources and resells that data.

2
 What personally identifiable information does Spokeo sell?
 Address, phone numbers, marital status, age, emails, photos.
 What conduct by Spokeo allegedly violates the FCRA?
 Spokeo was selling data profiles to companies to make a decision in hiring process, and this
data sharing is not allowed per statute.
 Why is this conduct problematic?
 The statute limits to who those reports can be given.
 In 2010 Spokeo changed its website Terms of Service--why?
 Spokeo said that they are not consumer reporting agency and that consumers cannot use
companies website or information for Fair Credit Reporting Act purposes but it didn’t revoke
access for existing consumers.
 The FTC concludes that the consumer profiles Spokeo produces are "consumer
reports" under the FCRA--why?
 Despite disclaiming that they are consumer reporting agency, they are still selling
credit reports
 Spokeo argues that it is not a consumer reporting agency, why does the FTC
conclude that Spokeo is a consumer reporting agency?
 FTC says that because they are providing consumer reports that makes them
consumer reporting agency point out to 1681a(f).
 What is required of Spokeo under §1681e(a) because it is a consumer
reporting agency?
 § 1681e(a) requires Consumer Reporting Agencies to:
1)Require prospective users of the information to identify themselves to the CRA
2) Require prospective users to certify the purpose for which the information is sought, and
3) Require users to certify that the information will be used for any other purpose

 What must consumer reporting agencies do to meet those requirements?

 Must make a reasonable effort to verify the identity of each new prospective user and the
uses certified prior to furnishing such a user consumer report.
 What does the FTC say about Spokeo's compliance?
 Spokeo failed to follow any of the requirements.

3
 The FTC concludes that Spokeo failed to provide notice under 1681e(d)--What
is the purpose of § 1681e(d) Notice to Users of Consumer Reports
requirement?
 It provides users of consumer reports with information about their obligations under FCRE.
 § 1681b provides that reports can only be furnished for specified purposes--
how did Spokeo violate this provision?
 Because they were selling these reports to anyone including entities that they have no
reason to believe have reasonable purpose to obtain these reports.
 What potential penalties did Spokeo face?
 Statutory violations including: $2400 per violation before February 10 and 3400 per
violation for those after February 10.
 How much did Spokeo settle for?
 $800,000 and injunction against the violations mentioned in the complaint.
 Did Spokeo admit guilt as part of the settlement--does this matter?
 No.

Bakker v. McKinnon (8th Cir. 1998)

Fair Credit Reporting Act
 What are the key facts?
1. McKinnon, an attorney requested credit reports of Baker and his daughter as
part of her litigation strategy in hopes of forcing settlement with Baker.
 What is the procedural posture of the case?
 McKinnon is appealing judgement finding that she violated FCRA.
 What is the issue the court must address?
 Whether the credit reports that she received were the consumer reports and if so whether
the business need exception applies.
 How was § 1681b amended and why does it matter? (p. 399)
 Pre 1996 the statute allowed credit reports to be sold to anyone who had legitimate
business need. Post 1996, the statute changed; the language is narrow.; the business
transaction has to be initiated by the consumer or you must already have the
relationship with that consumer and you need this information to make sure that
they meet the requirement of the account.
 What were McKinnon’s proffered reasons for obtaining the reports?

4
  She needed this information to make sure that the doctor had money to satisfy the
judgement and that he is not transferring money to his daughter.
 What does the court say to this argument?
 Pre 1996 the statute allowed credit reports to be sold to anyone who had legitimate
business need. Post 1996, the statute changed; the language is narrow.; the business
transaction has to be initiated by the consumer or you must already have the relationship
with that consumer and you need this information to make sure that they meet the
requiroment of the account.


 How does the court address McKinnon's argument that she had a legitimate
business need for the credit reports?
 Court argues that even with the broad language of pre 1996 statute, McKinnon cannot
prove that she had consumer relationship with the doctor and his daughter.
 What does the court say about McKinnon's argument against punitive
damages?
 The court concluded that McKinnon used the reports with malice and disregarded this
argument.
 Final Result?
 McKinnon lost.

Paul v. Providence Health System 273 P.3d 106 (Or. 2012)

Civil Suit for Data Breach--Data Not Exploited
 What are the key facts?
 Providence Health System-Oregon had stored personal information for around
365,000 patients on computer disks and tapes, including sensitive details like names,
addresses, Social Security numbers, and health information. These storage devices
were stolen from an employee's car. In response, Providence notified the affected
patients and recommended protective measures against identity theft.
Subsequently, the patients collectively filed a class-action lawsuit against
Providence, alleging negligence and violation of the state Unfair Trade Practices Act
(UTPA).
 What is the issue the court must address?
 Whether the health care provided might be liable when its negligence permitted
the possibility of identity theft but the information was never used by anyone.
 What are the parties’ arguments?

5
 Plaintiffs’ Argument: That the defendant’s conduct caused them financial injury such as
past and present credit monitoring, notification of governmental agencies of theft, and
potential costs of identity theft.
Defendant’s Argument: Plaintiffs failed to state a claim because they are based on future
injury rather than the present harm.
 What is the procedural posture of the case?
 State court granted Summary Judgment on the argument that there was no actual
injury. Intermediate appellate court affirmed. Now it is before Oregon Supreme
Court.
 The court first assesses plaintiffs' negligence claim--how does the court frame
this claim?
 "Plaintiffs allege that defendant's negligence created the risk of future identity theft, and
they seek economic damages for the past and future expense of credit monitoring services
and related expenditures made to address the risk of identity theft."
 The court discusses the economic loss rule--what is it?
 Economic damages are not ordinarly available in negligence actions when there are
no actual damages to the person or the property. However, damages are available
when defendant has a duty to guard against the economic loss that occurred.
 Does the court conclude that defendant owed plaintiffs a duty to protect
against economic loss?
 "Assuming without deciding, that defendant owed a duty to protect plaintiffs against
economic losses, we nevertheless conclude, for the reasons that follow, that
plaintiffs' allegations here are insufficient because plaintiffs do not allege actual,
present injury caused by defendant's conduct."
 Why does the court conclude that plaintiffs' claims fail?
 Court concludes that a future harm claim is not cognizable because "the threat of future
harm, by itself, is insufficient as an allegation of damage in the context of a negligence
claim.”
 What does the court say about plaintiffs' claims that they should be allowed to
recover the past and present expenses--namely credit monitoring--that they
have incurred to protect themselves from future economic harm?
 "The fact that a defendant's negligence poses a threat of future physical harm is not
sufficient, standing alone, to constitute an actionable injury." Furthermore, "proof of
damage is an essential part of the plaintiffs' case and nominal damages, to vindicate
a technical right, cannot be recovered in a negligence action, where no actual loss
has occurred."
 The court analogizes this case to what type of cases?
6
  To medical monitoring cases.
 What does the decision say about other courts who have addressed this issue?
 That potential harm does not constitute an actual injury because no one suffered
any harm.
 What is the court’s ultimate holding?
 The present harm that defendants' actions allegedly have caused--the cost of medical
monitoring--is not sufficient to give rise to a negligence claim. ... It follows, in our view, that
the cost of credit monitoring that results, not from any'present economic harm' to plaintiffs,
but rather from the risk of possible future harm, also is insufficient to state a negligence
claim.
 What does the court do with plaintiffs' state law unfair trade practices act
claim?
 This claim also requires loss of money and property and plaintiffs did not suffer from those
losses here.
 What do you think of the result of this case?
 I agree with the holding because no one suffered any injury.

Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012)

Civil Suit for Data Breach
 What are the key facts?

AvMed, Inc. (the defendant) operated as a healthcare service provider. At one point,
two laptops containing the personal data of 1.2 million current and former AvMed
members were stolen from the company's office. The information stored on these
laptops was not protected or encrypted in any way. Juana Curry and William Moore,
both AvMed members (the plaintiffs), fell victim to identity theft 10 and 14 months
after the theft of AvMed's laptops. Curry and Moore filed a lawsuit against AvMed,
alleging negligence and other claims. They argued that they had taken reasonable
measures to protect their sensitive information and that the data on AvMed's
laptops was the same information used by identity thieves to perpetrate their
crimes.
 What is the procedural posture of the case?
 The district court granted AvMed’s motion to dismiss the complaint for failure to
state a claim on which relief could be granted. In response, plaintiffs amended their
complaint. Defendant again files motion to dismiss and court again grants this
motion to dismiss.
 What issues must the court address?
7
 1) Whether a data breach wherein consumers become victims of identity theft and suffer monetary
damages as a result constitutes an actual injury?
(2) Whether plaintiffs have adequately plead facts to support an unjust enrichment claim?
(3) Whether defendant is subject to Florida Statute section
395.3025(4)--this is the basis of plaintiffs' negligence per se claim
(4) Whether a claim for breach of the implied covenant of good faith and fair dealing can be brought
in the absence of evidence of a conscious or deliberate act by the allegedly breaching party?

 What are the parties’ arguments?

Plaintiffs’ Argument: Plaintiffs state that they are victim of the indentities’ theft.
Defendant’s Argument: Defendant presents the opposite argument.
 The court first takes up the question of causation--concluding that 6 of the 7
claims require plaintiff to show causation--which one doesn't require such a
showing?
 Unjust enrichment
 What rules does the court provide for determining causation in data breach
cases?
 Generally, to prove that a data breach caused identity theft, the pleadings must include
allegations of a nexus between the two instances beyond allegations of time and sequence."
 How does the court apply the rules here?
 Court applies test set in Stollenwerk, where 9th Circuit court held that the plaintiff
sufficiently showed a causal relationship where:
(1) [plaintiff] gave [the defendant] his personal information;
(2) the identity fraud incidents began six weeks after the hard drives containing
[defendant's] customers' personal information were stolen; and
(3) [plaintiff had] previously not suffered any such incidents of identity theft.
Applying this test, the court concluded that the plaintiffs claim that there is a connection
between the two incidents that goes beyond mere timing and sequence. They assert that
the confidential data on the stolen laptop is identical to the sensitive information that was
employed to perpetrate identity theft against them.
 Can you explain the factual basis for plaintiffs' unjust enrichment claim?
 Plaintiff had a monthly insurance premium , and claims that they expected that this
insurance will cover data breach, however defendant did not secure their data, and
therefore, defendant was unjustly enriched because they got payments for
something that they didn’t do.

8
 How does the defendant respond to this argument?
 Defendant argued that plaintiff had health insurance but not data security insurance.
 What must plaintiffs show in order to prevail on the unjust enrichment claim?
(1) The plaintiff has conferred a benefit on the defendant;
(2) The defendant has knowledge of the benefit;
(3) The defendant has accepted or retained the benefit conferred; and
(4) The circumstances are such that it would be inequitable for the defendant to
retain the benefit without paying fair value for it.
 What does the court conclude as to the unjust enrichment claim?
 Court concludes that plaintiff was able to prove unjust enrichment claim.
 Why does the court conclude that plaintiffs’ negligence per se claim fails?
 Because FL’s statute applies only to hospitals and ambulances, and surgical centers,
and defendant is not any of those, the statute does not apply.
 The court kicks plaintiffs' claim for breach of the implied covenant of good
faith and fair dealing--what is the rule it uses to do so?
 Because plaintiff failed to show that defendant had any bad faith.
 The dissent has two criticisms of the opinion--what are they?
First, plaintiff failed to allege what sensitive information was used to open the accounts and if that
information might come from some other source.
Second, plaintiffs unjust enrichment claim cannot stand if there is an express contract.

Lone Star Nat'l Bank, N.A. v. Heartland Payment Sys., 729 F.3d 421 (5th
Cir. 2013)
Civil Suit for Data Breach
 What are the key facts?
 Visa and MasterCard utilized a network of various entities to handle their credit-
card and debit-card transactions. When a consumer made a purchase with a
merchant, the transaction details were transmitted through the network to a
processing company. These processing companies then forwarded the transaction
information to the issuer banks, which were the banks that had issued the cards to
the consumers. The issuer banks sent payments to the processing companies, which,
in turn, funneled the payments back to the merchants. Visa and MasterCard had
overarching agreements that governed all the entities in their networks. These
master agreements outlined the criteria and procedures for a network member to

9
 seek compensation for losses resulting from data breaches within the network.
Heartland Payment Systems, Inc. (Heartland) was one such processing company
operating within the Visa and MasterCard network. Heartland experienced a security
breach, leading to numerous consumers falling victim to fraudulent charges. Lone
Star National Bank, N.A., and other issuer banks (the issuer banks) initiated a
negligence lawsuit against Heartland, asserting that Heartland's negligence was
responsible for causing them financial losses.
 What is the procedural posture?
 The district court ruled in favor of dismissing the lawsuit, concluding that the issuer
banks could not pursue a negligence claim for their purely financial losses. Instead,
their sole avenue for seeking redress from Heartland, if available at all, would be
through the master agreements. Subsequently, the issuer banks filed an appeal.
 What is the issue the court must address?
 Whether the economic loss rule bars negligence claim when there is no contractual privity
between the parties.
 What are the parties’ arguments?
Plaintiffs’ Argument: Economic loss rule should not bar negligence claim because they are
not contractually obligated to defendant in any way.
Defendant’s Argument: Economic loss rule applies because all of these parties are in the
web together.
 What is the economic loss rule?
 The economic loss doctrine generally limits a plaintiff seeking to recover purely economic
losses, such as lost profits, to contractual remedies.
 What is the purpose of the rule?
 Generally speaking, tort principles are better suited for resolving claims involving
unanticipated physical injury. particularly those arising out of an accident. Contract
principles, on the other hand, are generally more appropriate for determining claims
for consequential damage that the parties have, or could have, addressed in their
agreement.
 Is the economic loss rule absolute?
 It is not.
 When does the economic loss rule not apply?
 The economic loss doctrine does not bar tort recovery where the defendant causes an
identifiable class of plaintiffs to which it owes a duty of care to suffer economic loss that
does not result in boundless liability.
 How does the court apply these rules?

10
  Issuer bank is an indentifiable class as required for economic loss rule. Heartland has
a reason to foresee that the issuer will suffer a loss if Heartland was negligent.
 The court provides two other rationales in support of its holding--what are
they?
 If there is no tort remedy, the issuer banks will be left with no remedy.
 It is unclear if Heartland had a contract with Visa and Mastercard and as such it is
not clear if the allocation of risk can be subject to negotiations.

11