Authors: Erica Gann Kitaev and Paul Karlsgodt

One hot area of data privacy litigation over the past several years has been data breach class actions brought under the California Confidentiality of Medical Information Act (“CMIA”),[1]  which provides that a person may recover $1,000 “nominal” damages against a healthcare provider who has negligently “released” the person’s medical information.  Until recently, no California appellate court had directly analyzed what constitutes a “release” of medical information under the CMIA.  The court in The University of California v. Superior Court (Platter)[2] addressed this question for the first time in 2013 and held that the mere loss of possession of computer equipment containing medical information was not sufficient to constitute a release of the information itself.  Instead, the court held, a plaintiff must be able to plead, and ultimately prove, that an unauthorized person actually accessed the plaintiff’s medical information.  The Platter decision will protect defendants from CMIA liability in instances in which a computer or other device is lost or stolen and never recovered but where there is no evidence to suggest that anyone ever looked at the information contained on the device after the loss or theft.

In another influential decision involving statutory claims under both California and federal law, the U.S. District Court for the District of Delaware dismissed a complaint against Google in In re Google Inc. Cookie Placement Consumer Privacy Litigation[3] for its alleged act of circumventing the privacy settings on Apple’s Safari web browser in order to place web cookies on the user’s hardware that tracks web browsing activity.  In addition to holding that the plaintiffs lacked Article III standing in the absence of proof of a statutory violation, the court dismissed a variety of state and federal claims, including claims brought under the Electronic Communications Privacy Act, the Stored Communications Act, the Computer Fraud and Abuse Act, and various state laws.

The results were more mixed in Bell v. Blizzard Entertainment, Inc.,[4] where the U.S. District Court for the Central District of California dismissed most, but not all, state law causes of action brought against a video game manufacturer after hackers gained access to users’ account information.  The court dismissed the plaintiffs’ claims for unjust enrichment based on the theory that the defendant benefited from the sale of products without protecting their data security because the parties’ relationship was governed by a comprehensive, express contract.  The court dismissed the plaintiffs’ negligence per se claims based on the theory that the defendant had failed to give timely notice of the breach under state law because the information compromised (email address, secret question answers, and scrambled passwords) did not fall within the definition of “personal information” the compromise of which would trigger a reporting requirement under state law.  The court also dismissed the plaintiffs’ claim brought on a bailment theory, finding that personal information is not a chattel that can be subject to the common law principle of bailment and finding the claim duplicative of the contract and negligence claims.

Following the general trend, the Blizzard court additionally dismissed the plaintiffs’ contract and negligence claims based primarily on the plaintiffs’ failure to allege any compensable harm.  The court rejected the plaintiffs’ argument that an increased risk of future identity theft could satisfy the harm element of these claims and found that any claimed diminution of value of the video games the plaintiffs purchased was too speculative to be compensable.  However, the court permitted the case to continue on one of the three theories the plaintiffs submitted in support of their consumer fraud claims, finding that alleged omissions about the need to purchase a physical “authenticator” device to ensure account security could support a claim under the Delaware Consumer Fraud Act.

The Google and Bell cases illustrate the variety of ways in which theories of liability for invasions and breaches of privacy are constantly changing, just as Internet technology continues to evolve.   Although many of these creative theories of liability are ultimately unsuccessful, companies that do business using the internet should frequently reevaluate their privacy policies and business practices in light of the developing theories of liability.

[1] California Civil Code § 56.

[2] The University of California v. Superior Court (“Platter”). 220 Cal. App 4th 549 (2013), mod. on reh’g (Cal. App., Nov. 13, 2013)

[3] In re Google Inc. Cookie Placement Consumer Privacy Litigation, MDL Civ. No. 12-2358-SLR (D. Del. Oct. 9, 2013).

[4] Bell v. Blizzard Entertainment, Inc., 12-CV-09475 BRO (PJWx), (C.D. Cal. July 11, 2013).