Data Security Breach Supported Contract, Negligence Claims

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

An individual could have sustained an injury in fact from the failure of a publisher and developer of online services and applications for use with social networking sites (“RockYou”) to secure and safeguard its users' sensitive personally identifiable information (PII), sufficient to support contract and negligence claims brought under California common law, on behalf of himself and a purported class of similarly situated persons, according to the federal district court in Oakland.

The individual failed, however, to allege actionable injuries in support of his claims that RockYou violated the California Unfair Competition Law, Computer Crimes Law, and Consumer Legal Remedies Act. The statutory claims were dismissed with prejudice.

Collection, Storage of Personal Information

The individual—a registered user who had given RockYou his e-mail address and password in order to sign up to use a photo sharing application—asserted that RockYou collected and stored millions of users' PII in a large-scale commercial database, in “clear” or “plain” text, with no form of encryption, so that the PII was readily accessible to anyone with access to the database.

RockYou allegedly was negligent by failing to store passwords in a “hashed” form or to use any other common and reasonable method of data protection.

In December 2009, RockYou disclosed to users that one or more hackers had illegally breached its database and acknowledged that, at the time of the breach, the hacked database had not been up to date with industry-standard security protocols.

Contract and Negligence Claims

With regard to the contract and negligence claims, the individual sufficiently alleged a general basis for the requisite injury or harm by alleging that the breach of his PII caused him to lose some ascertainable but unidentified value or property right inherent in the PII, the court said.

The claims were not automatically precluded by a provision of RockYou's privacy policy, which stated that RockYou assumed no liability for third-party breaches of its secure servers. The individual asserted that RockYou's servers were not, in fact, secure.

The individual's allegations did not, however, rise to the level of stating a breach of the implied covenant of good faith and fair dealing, the court decided. The alleged misconduct did not involve conscious or deliberate actions by RockYou.

Unfair Competition Law

Although the breach of his PII could constitute a general form of “harm,” the individual failed to allege any loss of money or property as a result of RockYou's conduct, as required for a claim under the California Unfair Competition Law, the court determined.

The individual's contention that his PII constituted “currency” strained the acceptable boundaries of injury under the Act. To the extent that the individual claimed that his PII was “property,” he could not establish that his PII was “lost,” for purposes of the Act. His e-mail login and password did not cease to belong to him or pass beyond his control.

Computer Crimes Law

RockYou’s alleged failure to secure and safeguard its users' sensitive personally identifiable information (PII) would not violate California’s Computer Crimes law, in the court’s view. The statute prohibited any person from knowingly and without permission accessing or providing a means for another to access a computer system or network.

RockYou was not a proper defendant under this provision, the court said. RockYou's alleged failure to utilize reasonable data security methods did not constitute “providing a means” for third-party hackers to illegally access RockYou's database.

Consumer Legal Remedies Act

The individual failed to allege that he was a “consumer” within the meaning of the California Consumer Legal Remedies Act. He did not “purchase or lease” any goods or services from RockYou, as required for CLRA standing. There was no authority supporting the individual's contention that the CLRA covered intangible forms of payment, such as the individual's PII, the court said.

The decision is Claridge v. RockYou. Inc., CCH Privacy Law in Marketing ¶60,620.

Canadian Franchisees’ Class Action Against Quizno’s Allowed to Proceed

This posting was written by Pete Reap, Editor of CCH Business Franchise Guide.

Class certification under Canada’s Class Proceedings Act was appropriate for an action brought by two Canadian Quizno’s franchisees on behalf of a class of all Canadian Quizno’s franchisees for breach of contract, illegal price maintenance, and conspiracy to fix prices, according to the Ontario Court of Appeal.

Even if the damage issues could not be handled on a class-wide basis, certification was proper because trial of the action’s common issues would significantly advance the litigation, the court determined

The appellate court affirmed a decision of the Ontario Superior Court of Justice, sitting as a divisional court, which reversed an earlier ruling by a motion judge that denied class certification (CCH Business Franchise Guide ¶7,398).

The franchisees alleged that Quizno’s, and the distributor that Quizno’s had selected to distribute food and other supplies to its Canadian franchises, established a price maintenance scheme in violation of the Competition Act through which large sums of money were extracted from the franchisees. The franchisees asserted that the prices they were contractually forced to pay for supplies pursuant to the scheme were inflated and commercially unreasonable.

Common Issues

In denying certification, the motion judge held that the franchisees failed to satisfy the common issue criterion for class certification because they failed to show that their damages, if any, could be proven in the aggregate on a class-wide basis.

The removal of the assessment of damages as a common issue had “the effect of an avalanche that buries the proposed common issues with an absence of commonality and a proliferation of individual issues.”

In reversing that ruling, the majority of the divisional court concluded that the motion judge’s reasoning was improperly focused on the issue of damages and that he committed reversible error in failing to consider the franchisees’ remaining proposed common issues.

There were enough significant common issues to each of the claims of illegal price maintenance, conspiracy, and breach of contract which would advance the litigation by proceeding on a class-wide basis, the divisional court ruled.

Price Maintenance

A finding of violation of the Competition Act’s price maintenance provision (since repealed in 2009, the court noted) did not require proof of loss or damage or a detailed analysis of the prices paid for each product by each franchisee and the prices that each franchisee would have paid but for the alleged illegal scheme.

The fact that franchisees would be required to show proof of loss or damage in order to recover damages for their price maintenance claim did not detract from the conclusion that breach of the price maintenance provision was a common issue that advanced the litigation.

If the court became satisfied that Quizno’s imposed sourcing fees and mark-ups by way of its distribution agreement in an attempt to influence upwards the prices paid by franchisees, and that the pricing scheme constituted illegal price maintenance, a substantial ingredient of liability for damages could be proven on a class-wide basis.

It was not necessary, at the class certification stage, to engage in debate over the relative strengths and weaknesses of the expert evidence presented by the two sides as the motions judge had done, the appellate court noted.

Conspiracy

In order to succeed on the conspiracy claim, the franchisees would be required to prove:

(1) that there was an illegal agreement to maintain prices between the defendants;

(2) that the distributor committed unlawful aiding and abetting conduct;

(3) that the defendants performed actions in furtherance of the conspiracy;

(4) that the defendants should have known the conspiracy would seriously harm the franchisees; and

(5) that the conspiracy caused damages to the franchisees.

The court affirmed the divisional court’s conclusion that—even in the absence of the fifth element (proof of the fact of loss)—the other elements of conspiracy were issues that would advance each franchisee’s claim and avoid duplication of factfinding and legal analysis.

Breach of Contract

A significant number of factual and legal issues integral to the franchisee’s breach of contract claim were common issues, the appellate court held, accepting the conclusions of the divisional court.

Issues that could be determined on a class-wide basis and advance the litigation included: the meaning of the contractual provisions, the existence and nature of any common law duty of fairness, and breach of contract by Quizno’s failure to provide the franchisees with specifications.

The June 24 decision is Quizno’s Canada Restaurant Corp. v. 2038724 Ontario Ltd. Text of the opinion will appear in the CCH Business Franchise Guide.

Further details regarding the CCH Business Franchise Guide appears here on the CCH Online Store.