is it futile to keep up with data breaches?

Posted on

Happy August 14! We are 226 days into the year and only have 139 days remaining in 2019! I hope everyone is making good progress on their New Year’s resolutions. One of my goals for the year is to read 26 books; I have read 17 so far this year. What book recommendations do you have for me?

Today is also Halle Berry’s birthday, who was born in Cleveland, Ohio. Happy Birthday to her!

Most importantly, August 14 is National Financial Awareness Day.

Miriah’s Take: Is It Futile (For Consumers) to Keep Up With Data Breaches?

As large-scale data breaches remain a constant occurrence, is it possible to keep track of the new developments related to massive data breaches?

Last month, the Federal Trade Commission announced Equifax will pay $575 million as a part of a settlement with the agency, the Consumer Financial Protection Bureau, and individual state litigants. (Disclosure: the Ohio Credit Union League, the entity behind this blog, is a plaintiff in a separate pending class-action lawsuit against Equifax.) Equifax suffered a massive data breach in 2017, which exposed 145.5 million social security numbers to hackers and more than 200,000 payment card numbers and expiration dates.

In the proposed settlement, Equifax will specifically pay $300 million to provide credit monitoring services for affected consumers. Initially, affected consumers could opt for the credit monitoring services or a $125 cash payment. Since then, the FTC has said that consumers will not receive the full $125 cash option. The total amount available for the cash payment was only $31 million, making the settlement amount of $575 million less appealing when consumers cannot even receive the full $125 the FTC advertised.

While consumers are maneuvering the potential settlement with Equifax, many are navigating another data breach at Capital One Financial (Capital One). Capital One is one of the largest credit card issuers in the United States. At the end of July, the company disclosed that a hacker gained access to data from over 100 million people including, 140,000 social security numbers, 80,000 bank account numbers, and 1 million social insurance numbers (Canadian government identification number), because the hacker (a former employee of Amazon Web Services) infiltrated an (Amazon) cloud server. You can read more about it in this New York Times story.

As data breaches remain prevalent, let’s take a brief glance at what plaintiffs must prove as a consumer litigant in a data breach case. Depending on who you ask, some may say data breach plaintiffs have a hard time proving standing, while others may say standing is a very low bar in these types of cases.

As a refresher, the U.S. Constitution Article III requires plaintiffs to prove standing before a federal court may hear cases and controversies. The courts have interpreted that to mean, the plaintiff must personally have: 1. Suffered some actual or threatened injury; 2. That injury can be fairly traced to the challenged action of the defendant; and 3. That injury is likely to be redressed by a favorable decision.

Looking at data breach cases, the most successful claims have involved fraud losses for credit and/or debit cards as those are viewed as substantive, tangible injuries. Contrasting that scenario with Equifax, consumers in Equifax may have had their personally identifiable information breached but not suffered any monetary loss (yet). Depending on the type of plaintiff mentioned above, can an individual easily demonstrate standing?

In 2016, the United States Supreme Court in Spokeo v. Robins, adopted a narrow view of Article III standing. The plaintiffs alleged their statutory rights were violated but did not allege any violation beyond that. The Supreme Court stated that a mere technical statutory violation, divorced from concrete harm, is not enough for Article III standing.

As a reminder, Spokeo, addressed federal claims (a technical violation of the Fair and Accurate Credit Transactions Act) and not state law negligence claims (a popular theory in data breach lawsuits).

Let’s look at Alexandria Rudolph v. Saks and Company, the data breach class action pending in the Southern District of New York District Court. Denying the defendant’s motion to dismiss, the court examined the plaintiff’s injury.

Defendant, Saks, argued that because the plaintiff’s bank immediately canceled the debit card and no fraudulent charges were incurred, the plaintiff did not allege an injury-in-fact or actionable risk of future injury, under Article III. While the court dismissed the plaintiff’s negligence per se claim, the court allowed the claims under Mississippi’s consumer protection statute and the California Customer Records Act to move forward.  In determining this, the court noted that plaintiff expended “approximately 230 minutes and $4.68 to deal with the freeze placed on her card and obtain a replacement debit card,” which is sufficient to demonstrate injury and standing. For illustrative purposes, this case might be considered a low standing threshold.

To recap, consumers can be victims of multiple data breaches, must navigate what to do when their personally identifiable information is exposed, consider hiring counsel, and may not receive their fair share of an applicable class-complaint. This leads us to our main question, is it futile for consumers to stay abreast of data breaches? We hope you will ponder this question and weigh in through reader feedback!

Miriah’s Hot Topic: Litigation Surrounding Americans with Disabilities Act Website Accessibility Still On Going

Recall, the first Ohio credit union specific Americans with Disabilities (ADA) website accessibility lawsuit was filed on December 12, 2017. Fast forward to August 2, 2019, the last Ohio credit union specific website lawsuit was dismissed after the court granted the credit union’s motion to dismiss. So what happened between December 2017 and August 2019? Let’s explore.

In 2018, more than 10,000 Title III ADA lawsuits were filed in federal courts nationwide, representing a 33 percent increase from 2017. In Ohio, 11 credit unions were subject to litigation filed against them for allegations that the credit union violated Title III of the ADA due to allegedly having an inaccessible website, specifically one that was not compatible with a screen reader.

For years, courts have been tasked with determining whether a website (the internet) can be considered a place of public accommodation under Title III of the ADA, and if the website is a place of public accommodation, must there be a requisite nexus, and finally what standards, if any, apply to websites.

The case law that has developed from the Ohio credit union specific litigation is not uniform, so let’s sample a few recent cases.

  • Mitchell v. Buckeye State CU: Like the majority of credit union specific ADA website accessibility cases in Ohio, this court dismissed the plaintiff’s complaint, granting Buckeye State’s motion to dismiss. Looking closely at the membership aspect, the court concluded the plaintiff did not have requisite standing (injury) to bring a lawsuit against Buckeye State CU, because the plaintiff was not a member of the credit union. As the court reasoned, even if Buckeye CU’s website had been accessible to the plaintiff, it would not “have the effect of providing Mitchell with accessibility to products or services of Buckeye as Mitchell is not eligible to take advantage of these benefits.” Further, the court noted that the plaintiff could not “demonstrate a legitimate desire to return, a prerequisite for injunctive relief.” 
  • Mitchell v. BMI FCU: The first credit union specific opinion out of the Southern District for the U.S. District Court, the court granted BMI FCU’s motion to dismiss. While the court acknowledged in the opinion that the plaintiff’s prior inability to access BMI FCU’s website constituted an injury, the ruling on the motion to dismiss centered upon future injury. Because the plaintiff requested injunctive relief, “standing depends on whether the plaintiff is likely to be injured by the same allegedly offending conduct in the future.” Thus, the court concluded the plaintiff was not likely to suffer future harm, as BMI FCU’s website, at the time of the opinion, was completely functional.
  • Mitchell v. DayMet CU: While other Ohio cases have found that a credit union non-member does not have standing to bring a lawsuit for the inability to access a website, the court, relying on Brintley v. Aeroquip Credit Union, stated that “eligibility for membership in the credit union is not a prerequisite for standing.” Further, the court recognized if the plaintiff was unable to access the credit union website, that action constituted a dignitary harm. In the complaint, the plaintiff sought injunctive relief which requires the plaintiff to allege a plausible intention or desire to return to the place but for the barriers at the place of public accommodation. Because the plaintiff did not allege “more than speculative future harm,” the court dismissed the complaint against DayMet CU, as the allegations fail to meet the constitutional requirements.

In Michigan, credit union specific ADA website accessibility cases have not received the same favorable rulings. Two credit unions (Brintley v. Aeroquip CU and Brintley v. Belle River Community CU) are appealing rulings to the 6th Circuit Court of Appeals. The oral arguments (held on August 8) focused on whether plaintiff has standing to bring the lawsuits, despite being a non-member of both credit unions. Two important questions were posed by the panel of judges during oral arguments:

  • If the non-member distinction is not relevant to the cases, could the plaintiff sue every credit union nationwide if the plaintiff was interested in exploring the banking services of each credit union?
  • Whether the evidence of a statutory violation is evidence of standing (and whether that [improperly] circumvents the standing requirements in the Constitution.

This blog will continue to monitor updates related to ADA website accessibility litigation, including both Brintley cases.

This year, almost 6,000 ADA Title III lawsuits were filed in federal court, compared to approximately 5,000 last year for the same time period. As you can guess, most litigation is filed in California, New York, and Florida.

Despite the increased litigation, there remains no clarity on the issue, whether from Congress or the Department of Justice, who is the prudential regulator of the ADA. As the issue remains extremely relevant and important, all parties look to the Department of Justice to articulate clear standards so that disabled individuals can access the appropriate information and businesses can understand the rules and meet the standards.

As the Credit Union Times points out, there is a still an active push for the Department of Justice to create accessibility standards for websites. Previously, six senators, 103 representatives, and 19 state attorney generals have pressed the Department of Justice to issue guidance or rules on the issue. Most recently, U.S. Senator Grassley and six other Senators sent a follow up letter to the Department of Justice (from their 2018 letter) pressing Attorney General Barr to clarify whether and how the ADA applies to websites.

In 2020, will interested parties still be requesting clarification from Attorney General Barr?

Miriah’s Tip:

Summer is winding down and you may be thinking of planning your fall/holiday vacations. If you are not familiar with the app Hopper, make sure you check it out.

Miriah’s Mailbox

It is definitely summer vacation season, as the mailbox has been empty. Don’t be shy and send your reader feedback to the blog.

Send your funny regulatory stories, reader feedback, and future topics ideas to at mlee@ohiocul.org.

Leave a Reply

Your email address will not be published. Required fields are marked *