Consumers turn tables against corporate defense in compelled arbitration of information privacy claims

Image via www.vpnsrus.com by Mike MacKenzie CC BY 2.0

Consumer plaintiffs turned the usual tables on corporate defense in the fall when a federal court in Illinois ordered Samsung Electronics to pay millions of dollars in arbitration fees in a biometric privacy case.

In the underlying arbitration demand, 50,000 users of Samsung mobile devices accuse the company of violating the Illinois Biometric Information Privacy Act (BIPA). BIPA is a tough state privacy law that has made trans-Atlantic waves as it fills the gap of Congress's refusal to regulate the American Wild West of consumer privacy.

Typically of American service providers, Samsung endeavored to protect itself from tort liability through terms and conditions that divert claims from the courts to arbitration. The (private) U.S. Chamber of Commerce champions the strategy. Arbitration is reliably defense-friendly. Rumor has it that arbitrators who don't see cases corporations' way don't have long careers. And companies bask in the secrecy that shields them from public accountability. (Read more.)

Resistance to compelled arbitration has been a rallying cause of consumer advocates and the plaintiff bar. For the most part, resistance has been futile. But consumer plaintiffs appear to have a new strategy. The Chamber is not happy.

In the instant case, consumers alleging BIPA violation were aiming for arbitration. Arbitration rules, endorsed by Samsung's terms, require both sides to pay toward initial filing fees, a sum that adds up when 50,000 claims are in play. The consumers' attorneys fronted their share, but Samsung refused. The company weakly asserted that it was being scammed, because some of the claimants were deceased or not Illinois residents, both BIPA disqualifiers.

Samsung must pay its share of arbitration filing fees for living Illinois residents, the district court answered, at least those living in the court's jurisdiction. Many of those consumer claimants were identified with Samsung's own customer records. A few whom Samsung challenged, the claimants dropped from their number. Even when the court pared the list to consumers in Illinois's federal Northern District, roughly 35,000 were still standing.

"Alas, Samsung was hoist with its own petard," the court wrote, quoting Shakespeare. The court opined:

Samsung was surely thinking about money when it wrote its Terms & Conditions. The company may not have expected so many would seek arbitration against it, but neither should it be allowed to “blanch[] at the cost of the filing fees it agreed to pay in the arbitration clause.” Abernathy v. Doordash, Inc., 438 F.Supp. 3d 1062, 1068 (N.D. Cal. 2020) (describing the company’s refusal to pay fees associated with its own-drafted arbitration clause as “hypocrisy” and “irony upon irony”).

The American Arbitration Association, the entity with which the claimants filed pursuant to Samsung's terms, estimated Samsung's tab at $4.125 million when the number was still 50,000 claims.

Attorneys Gerald L. Maatman, Jr., Rebecca S. Bjork, and Derek Franklin for corporate defense firm DuaneMorris warned:

As corporations who employ large numbers of individuals in their workforces know, agreements to arbitrate claims related to employment-related disputes are common. They serve the important strategic function of minimizing class action litigation risks. But corporate counsel also are aware that increasingly, plaintiffs’ attorneys have come to understand that arbitration agreements can be used to create leverage points for their clients. Mass arbitrations seek to put pressure on respondents to settle claims on behalf of large numbers of people, even though not via the procedural vehicle of filing a class or collective action lawsuit. As a result, corporate counsel should carefully review arbitration agreement language with an eye towards mitigating the risks of mass arbitrations as well as class actions.

Samsung wasted no time appealing to the Seventh Circuit. The case has drawn a spate of amici with dueling briefs from the Chamber and associates, favoring Samsung, and from Public Justice, et al., favoring the consumer claimants.

The district court case is Wallrich v. Samsung Electronics America, Inc. (N.D. Ill. Sept. 12, 2023), opinion by Senior U.S. District Judge Harry D. Leinenweber. The appeal is Wallrich v. Samsung Electronics America, Inc. (7th Cir. filed Sept. 25, 2023).

Plaintiff drops privacy suit that stretched to claim against UMass Medical in nationwide data breach

UMass Chan Medical School
Mass. Office of Travel & Tourism via Flickr CC BY-ND 2.0

Until six days ago, the University of Massachusetts Chan Medical School was defending a privacy suit over a data breach, though the plaintiff liability theories looked thin.

There doesn't seem to be any dispute over the fact of the data breach. UMass Chan was just one of hundreds of organizations nationwide implicated in a breach affecting tens of millions. According to electronic security firm Emsisoft (which has a commercial interest in higher numbers), the breach affected more than 2,700 organizations and the data of more than 94 millions persons (last updated Jan. 18, 2024).

The vulnerability for all of these organizations was a file transfer platform called MOVEit, a product of publicly traded, Burlington, Mass.-based Progress Software Corp. UMass Chan used MOVEit to transfer personal information to other state agencies and programs. Hackers obtained and published the data of more than 134,000 persons, including recipients of state supplemental income and elder services.

According to state officials, WBUR reported, the "exposed data varies by person, but in each case includes the person's name and at least one other piece of information like date of birth, mailing address, protected health information like diagnosis and treatment details, Social Security number, and financial account information." The commonwealth notified affected persons and offered free credit monitoring and identity theft protection.

The complaint filed in federal court in September 2023 sought class action certification. The named plaintiff blamed UMass Chan for weak security and delayed notification resulting in a fraudulent attempt to use her debit card. Wednesday last week, the plaintiff voluntarily dismissed without prejudice, meaning the case might not yet be over.

The articulated causes of action, though, were a stretch. That's not to say that the putative plaintiffs suffered no injury. The problem rather is that the law in most states, including Massachusetts, and at the federal level still fails to define data privacy wrongs in a manner on par with the law of Europe and most of the rest of the world.

There was no statutory cause of action in the UMass Chan complaint. The diversity complaint alleged counts of negligence, breach of contract, and unjust enrichment.

Negligence has not been a productive vein for privacy plaintiffs, who lack the usually prerequisite physical injury. Massachusetts cracks open the door more than most other states to negligence actions based on lesser injury claims, such as emotional distress or economic loss. But it's not a wide opening.

Privacy actions in state law meanwhile are problematic because American common law has not yet well established the nature of the plaintiff's loss according to conventional understandings of injury. Indeed, federal courts disagree over when a statutory state privacy action supplies the "injury-in-fact" standing required by the federal Constitution. 

The named plaintiff in the UMass Chan case hastened to emphasize her contractual relationship with UMass Chan as a service provider, in an effort to anchor the negligence claim within a strong relationship of duty to get through the Massachusetts doorway. She described the identity risk of the debit-card incident to establish economic loss at least.

It's not clear that the pleading could have pushed over the hurdles to negligence recovery. I have advocated for the evolution of common law tort to close the gap in recognition of privacy violations in U.S. law, similarly to how UK courts developed the "misuse of private information" tort in common law to complement transposition of EU data protection. The Massachusetts Supreme Judicial Court could do that; certification would be required here in a federal case. But the trend in American data privacy law rather has been for the courts to wait on legislators to move the ball forward.

The other liability theories were a stretch, too. In contract, the plaintiff alleged herself a third-party beneficiary of data sharing agreements between UMass Chan and its state partners. Third parties can claim rights in a contract, but the proof is stringent. Contract law also raises a damages problem. The plaintiff here was not seeking specific performance, and it's not clear that any recovery in contract law would exceed the remediation the commonwealth already offered.

The equitable claim of unjust enrichment theorized essentially that UMass Chan benefited financially by cheaping out on security. That's creative, but a plaintiff in equity usually wants back something she lost to the defendant. A differential in the cost of contract services is speculative, and it's an attenuated causal chain to allege detriment to UMass Chan clients.

Privacy plaintiffs in the United States have seen some success using laws that predate contemporary data breach. But those theories won't work here. Massachusetts once had a leading data regulatory system for its requirements of secure data management. But the law is now well worn and has not kept up with other states, California being the model. Critically, the Massachusetts regs don't provide for private enforcement.

Some plaintiffs have found success with the dated (1986) Computer Fraud and Abuse Act. But a federal CFAA claim would be leveled properly against the hacker. The alleged culpability of UMass Chan is more accident than abuse.

American privacy plaintiffs flailing to state wrongs in litigation unfortunately is common and will continue as long as the United States lacks a comprehensive approach to data protection. I wrote 10 years ago already that American expectations in data privacy had outpaced legal entitlements.

The pivotal factor in whether MOVEit breach victims find any relief is likely to be the state where they and their defendants are located. Perhaps the case will push commonwealth legislators at last to act on a bill such as the proposed Massachusetts Information Privacy and Security Act (see, e.g., Mass. Tech. Leadership Council).

The case is Suarez v. The University of Massachusetts Chan Medical School (D. Mass. filed Sept. 18, 2023).

'Marketplace' features book, film, Wisconsin law class on wild risks at shuttered N.J. water park

Action Park fun in 1994
(Joe Shlabotnik CC BY 2.0 via Wikimedia Commons)

Marketplace today features a torts course about accident risk and liability at a water park.

The 2020 HBO documentary Class Action Park (2020) (trailer) told the story of Action Park, a New Jersey theme park in the 1980s and 1990s.  Here is a compelling excerpt of the film's pitch:

It was known as a lawless land, ruled by drunk teenage employees and frequented by even drunker teenage guests. The rides were experimental and illogical, and seemed to ignore even the most basic notions of physics or common sense—not to mention safety.

Let’s put it this way: There was an enclosed tube waterslide that went in a complete loop—and that wasn’t even close to the most dangerous ride at the park.

Lying somewhere between Lord of the Flies and a Saw movie, Action Park is remembered as a place so insane and treacherous that, decades later, anybody who ever stepped foot in it is left wondering whether their memories could possibly be true. It became a nearly perfect breeding ground for urban legends and myths.

And then there was the park’s founder: A genius madman who was willing to break any rule to bring his vision to life, including the creation of a fake insurance company in the Cayman Islands to circumvent insurance regulations. As cunning as he was criminal, Action Park became the pure expression of his particular worldview, which valued self-responsibility above all else—including basic safety measures and physically practical rides.

There is a book, too: Action Park (2020) by Andy Mulvihill and Jake Rossen.  Andy Mulvilhill is the son of the "genius madman," Gene, who died in 2012. Andy wrote a narrative about his father in Esquire in 2020.

Attorney Bill Childs, adjunct professor at Mitchell Hamline Law School and assistant general counsel at 3M, has taught a course about Action Park, Recreation and Risk: no doubt an informative exploration of how the tort system is supposed to regulate social and economic activity and how its dysfunctions often cause it to fail. For the Marketplace story, David Brancaccio interviewed Professor Childs.

I start Torts I each fall with consideration of the relationship between the thriving market in extreme supports in New Zealand and the suspension of tort litigation in favor of the nation's administrative accident compensation system. N.Z. bungee-jump entrepreneur A.J. Hackett told Australian Broadcasting in 2012 that he closed his Las Vegas franchise because of frivolous litigation. I have doubts about the frivolity of the claims, but there's no doubt that the threat of tort litigation in the United States calls on business models to moderate risk, for better and for worse, more than they might have to in other countries. In the same vein, I am keen myself to learn more about what went wrong or right in claims arising at Action Park.

Theme parks, because they aim to entertain the public at large, not especial risk takers, do not trigger the rare preservation of implied-assumption-of-risk doctrine (IAOR) that pertains in sport, sometimes to deprive even amateur athletes of a cause of action. In U.S. jurisdictions today, IAOR is largely superseded by the adoption of comparative fault, a partial defense. But athletes knowingly engage in a suspension of the social contract, voluntarily undertaking a degree of risk that the general public ordinarily does not.  So some jurisdictions preserve IAOR for that occasion.

The inapplicability of IAOR to Action Park risk is on my mind because of a recent article in which Toronto attorney Will Keele and Windsor law student Keanin Parish revisited a 1993 case, Hall v. Hebert, in which the Supreme Court of Canada preserved IAOR in a non-sporting context. After "equally drunk" Hall and Hebert's Pontiac "muscle car" dropped 30 feet into a ditch in 1986, Hall sued Hebert for having let him drive. On those facts, the court favored volenti, a functional equivalent of IAOR, as a complete defense over comparative fault as only partial defense. In other words, Hall had it coming. Keele and Parish opined that that conclusion squares with later cases in the 21st century that preserved IAOR as a defense against injury claims arising in golf and hockey.

The extremity of risk at Action Park shows that the line is not so bright between IAOR preservation for the plaintiff who consents to risk and the abolition of IAOR for the plaintiff who engages with risk unreasonably—or, I might say, between informal sport and general-public thrill-seeking. Were Action Park's "drunker teenage guests" so clearly different from Hall? The salient distinction arises less in the plaintiff's subjective consent and more in the nature of the risk known to arise from the activity the plaintiff undertakes. A car crash is a known hazard of drunk driving, but even a drunk theme park rider does not expect the ride to be operated unsafely—usually. At some point—"memories could possibly be true"?—the distinction runs out. 

I have not had an HBO subscription for a while, but if we sign up later this month for House of the Dragon, I'll check out Class Action Park, too.

Secret civil justice undermines employee rights

Pintera Studios

A story investigated by ProPublica and featured on Planet Money highlights the problem of secret justice in perpetuating the willful abuse of at-home gig workers.

I expected that "Call Center Call Out," reported by Planet Money's Amanda Aronczyk and ProPublica's Ariana Tobin, Ken Armstrong, and Justin Elliott, based on the ProPublica story, would be a sad and frustrating tale of work-from-home gig economy labor being exploited, principally by the misclassification of employees as independent contractors to reap savings in compensation, work conditions, and employee benefits.

Turns out, there is even worse dissimulation afoot.  And there are worrisome implications for the health of the civil justice system.

To work these call-center jobs, for intermediary contractors such as Arise Virtual Solutions, the not-quite-employees are compelled to sign non-disclosure agreements (NDAs), arbitration agreements, and class action waivers.  These all are enforceable, even when the workers do not fully understand their implications.

When a worker has the temerity to commence arbitration proceedings, challenging misclassification as an independent contractor, the worker wins.  In one example in the story, a worker easily qualified as an employee under the labor test applied by the arbiter.  A worker can win thousands of dollars in reimbursement of expenses—they have to pay out-of-pocket for the privilege of their training and then buy their own computers and telecomm equipment—and back wages to bring their compensation history up to minimum wage.  

But here's the rub: the workers already are bound by their NDAs, and the arbitration is secret, too.  So there is no public record of the misdeeds of the employer.  The arbitration-winning complainant cannot even tell other mistreated workers that their labor rights are being violated.

According to the reporters, the secret justice system of arbitration is actually part of the business model for enterprises such as Arise.  They can pay liability to a small percentage of workers while willfully exploiting most others.  Because of the NDAs, arbitration clauses, and, most importantly, class action waivers, a lawyer said in the program, she can fight this abuse only behind a veil of secrecy, one case at a time, amounting to thousands of cases, even though every case is winnable on precisely the same analysis.

There's a classic scene from Fight Club (1999) when the Narrator (Ed Norton) is telling an airliner seatmate about his car company's "formula" for issuing a recall only when it's cost effective, regardless of the cost of human life.  (Think GM ignition switch recall.)

"Which car company do you work for?" the seatmate asks.

The Narrator pauses, staring her in the eyes.  Then, nodding knowingly, he answers,

"A major one."

So what companies use these call centers to take advantage of the cheap and ill-begotten labor forces organized by companies such as Arise?

Major ones.  Ones you've talked to.

Have a magical day.

 

The stories are Amanda Aronczyk & Ariana Tobin, Call Center Call Out, Planet Money, Oct. 2, 2020; and Ken Armstrong, Justin Elliott, & Ariana Tobin, Meet the Customer Service Reps for Disney and Airbnb Who Have to Pay to Talk to You, ProPublica, Oct. 2, 2020.

Boston Bar webinar will probe privacy law latest

Coming soon, the Boston Bar Association will host a webinar on data privacy class action litigation (and related privacy stuff too).  I'm trying to get up to speed on all of the latest developments so that I will not disappoint moderator Melanie A. Conroy, attorney and CIPP/US, of Pierce Atwood LLP, who graciously if foolhardily invited me to participate.  For The National Law Review in April, Conroy wrote the authoritative rundown on the Mount Ida student class action, which treatment inspired me to write about the case for The Savory Tort.

My task is daunting; a lot happened while I was in Africa early in the year and out of the office over the summer.  Our subject matter includes the new regulations under the California Consumer Privacy Act, burgeoning lawsuits under the Illinois Biometric Information Privacy Act, and the shock waves just now hitting the United States from the "Schrems II" decision in the European Court of Justice.  (Brush-with-greatness note: Max Schrems has been in my car.  Long story.)  That's just to get the ball rolling.

Co-panelists are Matthew M.K. Stein, of Manatt, Phelps & Phillips, LLP, and Marjan Hajibandeh, of CarGurus, Inc.  Here are the program details from the BBA:

BBA Webinar: Roundtable on Recent Developments in Data Privacy Class Action Litigation
Thursday, September 24, 2020, 10:00 to 11:00 a.m.
This webinar will explore the growing prevalence of data privacy class actions through recent developments in data privacy legislation, expanded private rights of action, biometric privacy claims, consumer data suits, post-breach and cybersecurity litigation, and the increasingly complex landscape of rulings by federal courts of appeals. The presenters will discuss national trends and developments within the First Circuit and in Massachusetts. The discussion will look ahead to areas to watch and trends that may shape the development of data privacy class actions in the coming months and years.

The program is free for BBA members and $100 for non-members. Registration at least two hours before the program-start is essential to receive the Zoom link.

Honduran law dean joins UMass comparative law class

Speaking from UNITEC in Tegucigalpa, Dean Castro Valle explained how her 2018 English-language article on comparative tort law (featured) fit into her broader dissertation project on regional class actions for environmental justice in Central America.

#ComparativeLaw @UMassLaw (me & @PeltzSteele) today had privilege of a brilliant Zoom guest to educate us on Honduran/Central Am. civil law, as compared with EU and with US common law, and on harmonization in Central America. THANK YOU @cmcastrovalle! https://t.co/eHmGLwgMwy

— RJ Peltz-Steele (@RJPeltzSteele) October 9, 2019

UMass Law comparative law students asked about legal harmonization in Central America and asked Dean Castro Valle to assess the prospect of a supranational entity in the region, akin to the European Union, that might advance economic development. She said such a project has been in the works since the 1950s. Pointing to present discontent with President Ortega in Nicaragua, for example, she explained that not enough states have been stable and interested in pursuing the project at the same time. Meanwhile she and other legal scholars are working to harmonize civil codes and arbitration process to increase legal certainty sufficiently to attract investment from transnational business.