On April 18, a Ninth Circuit panel reaffirmed its holding that LinkedIn cannot stop hiQ Labs (“hiQ”) from scraping publicly accessible data from its website at this stage of the litigation. In its latest opinion in HiQ Labs, Inc. v. LinkedIn Corporation, the Ninth Circuit ruled that hiQ raised serious questions about whether their scraping of public LinkedIn profile information should be permissible under the Computer Fraud and Abuse Act (“CFAA”). While the court’s opinion was limited to hiQ’s motion for a preliminary injunction prohibiting LinkedIn from preventing hiQ’s scraping, the reasoning and discussion in the court’s opinion suggests that the panel’s position is that scraping publicly accessible data likely does not violate the Computer Fraud and Abuse Act (“CFAA”).

The CFAA is the most prominent federal anti-hacking statute, and it prohibits, among other things, obtaining information through access to a protected computer system “without authorization” or in a way that “exceeds authorized access.” The bounds of what constitutes a violation of authorization under the CFAA has been a topic of debate in recent cases. Last year, in Van Buren v. United States (previously discussed here and here), the Supreme Court ruled that using information from a computer system for unpermitted purposes would not “exceed authorized access” under the CFAA if the user was otherwise authorized to access that information using the computer.

Less than two weeks after issuing its decision in Van Buren, the Court issued a summary disposition in LinkedIn v. hiQ Labs, LinkedIn’s petition to the Supreme Court to allow it to prevent hiQ from continuing its scraping practices. The Court vacated the Ninth Circuit’s earlier opinion affirming the trial court’s decision to allow the scraping to continue and remanded the case to the Night Circuit for further consideration in light of the Van Buren decision. In the opinion issued on April 18, the Ninth Circuit reasoned that the Supreme Court’s reasoning in Van Buren supported the conclusion that the CFAA does not prohibit access to publicly accessible data.

Continue Reading Ninth Circuit Affirms Preliminary Injunction in HiQ Labs, Inc. v. LinkedIn Corporation, Reasoning that CFAA Is Unlikely to Bar Access to Public LinkedIn Data

In a unanimous decision issued on February 3, 2022, the Illinois Supreme Court held in McDonald v. Symphony Bronzeville Park that the Illinois State Workers’ Compensation Act (“WCA”) did not bar claims under the Illinois’ Biometric Information Privacy Act (“BIPA”). In doing so, the court eliminated one significant defense commonly raised in such cases, since many BIPA class actions are brought in the context of employment (many of which were stayed pending the decision in McDonald). Critically, though, the decision does not preclude other potential defenses including claims of federal preemption.

BIPA is one of the most actively litigated privacy statutes in the United States. Among other things, it requires that businesses obtain consent prior to collecting biometric information (fingerprints, facial geometry information, iris scans and the like), issue a publicly available data retention policy, and refrain from certain data sales and disclosures. Because BIPA provides for a private right of action along with statutory damages of $1,000 to $5,000 per violation, it has proved fertile ground for the plaintiff’s bar.

Continue Reading Illinois Supreme Court Finds Illinois Biometric Information Privacy Act Not Preempted By State Workers’ Compensation Law

It has been eight months since the Supreme Court of the United States decided, in Facebook v. Duguid, that the federal Telephone Consumer Protection Act’s (TCPA) outdated definition of an automated telephone dialing system (ATDS or autodialer) did not cover devices—like most modern phones—which can store numbers that are not randomized. This decision resolved a long-standing circuit split over how to interpret the TCPA, but it has not led to the clarity that many companies desired.

While courts have started applying the narrowed ATDS definition under Duguid, companies engaged in telemarketing are not yet in the clear as many had initially thought in the immediate aftermath of Duguid. A number of trends have emerged that give new teeth to TCPA-like claims, including a spike in cases at the state level, novel legal theories, and a focus on other aspects of the TCPA. Moving into 2022, we expect a continued evolution in complaints brought under state telemarketing laws, and we might also see legislation or FCC guidance intended to update the TCPA so that it applies to modern dialing technologies.

Continue Reading The TCPA, State Analogues, and the Future of Telemarketing Litigation

Attorneys for Blackbaud and the putative class action plaintiffs allegedly impacted by the publicly-traded software company’s data breach last year were scheduled to meet last month to discuss a possible resolution of the remaining claims in the multi-district litigation. But the only filings in the case since then concern a contemplated amended complaint, suggesting the MDL is entering a new phase rather than nearing a conclusion.

The planned mediation and order regarding the expected new pleading came several days after Blackbaud announced, along with strong third-quarter financial results, that it has nearly exhausted its $50 million in relevant insurance coverage.

“Based on our review of expenses incurred to date, and upon consideration of the number of matters outstanding,” the company reported, referring to hundreds of customer requests for reimbursement in addition to the putative consumer class actions in the U.S. and Canada, “we believe that total costs related to the Security Incident will exceed the limits of our insurance coverage during the fourth quarter of 2021.” The company, whose fundraising and constituent-relationship software is widely used by nonprofits, noted that breach-related costs would “negatively impact our [Generally Accepted Accounting Principles] profitability and cash flow for the foreseeable future.”

Continue Reading Blackbaud Ransomware Litigation Update

On June 3, 2021, in a 6-3 decision that created a diverse majority—uniting the most recent conservative additions—Justices Barrett, Kavanaugh, and Gorsuch—with the more liberal Justices Breyer, Sotomayor, and Kagan, the Supreme Court resolved a split among the Circuit courts regarding the Computer Fraud and Abuse Act (the CFAA), The language of the CFAA creates

On January 12, 2021, the U.S. District Court for the District of Columbia granted a motion to compel production of allegedly privileged cybersecurity documents in Guo Wengui v. Clark Hill, PLC, 1:19-cv-03195.  In doing so, the Court determined that the Defendant’s cybersecurity assessment was neither covered by work product protection nor attorney client privilege because the Defendant law firm would have investigated the breach in the same way as a business function.

Continue Reading DC District Court Requires Production of Cybersecurity Assessment Prepared at Direction of Outside Counsel

GDPROrganizations which fail to implement appropriate technical and organizational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal actions brought by data subjects.

British Airways, which suffered a cyber incident that is believed to have started in June 2018 and led to a personal data breach involving almost 500,000 of its customers, has found itself on the receiving end of such an action.

Continue Reading UK Group-Style Data Breach Actions Continue

A federal judge in Oregon, Hon. Michael H. Simon, has recently upheld a $925 million statutory damages award against health supplement maker ViSalus for its violation of the Telephone Consumer Protection Act (“TCPA”)—making this the largest TCPA damages award to date.

The underlying class action against ViSalus alleged the company placed nearly 2 million unsolicited robocalls nationwide to advertise its weight-loss and dietary products.  The class argued that the robocalls constituted unlawful telemarketing practices and violated the TCPA, and after a three-day trial in April of 2019, a jury agreed.
Continue Reading $925M TCPA Robocall Award Upheld

In an interesting data protection case, Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent) [2020] UKSC 10, the UK Supreme Court has held that the UK Government breached data protection laws in passing information to US authorities following a mutual legal assistance (MLA) request that could involve the US seeking the death penalty for two men.  The men are alleged to have been members of a terrorist group operating in Syria involved in the torture and murder of hostages.
Continue Reading UK Held to Have Breached Data Protection Laws Over Alleged Islamic State Members

CCPARecent class action complaints against Zoom Video Communications, Inc. (“Zoom”) are interesting examples of the new risks posed by the California Consumer Privacy Act (“CCPA”) which took effect on January 1. While formal enforcement by the California Attorney General will not begin until July 1, the CCPA’s private right of action allows individuals to bring suits before July. Although the text of the CCPA’s private right of action would lead a reader to believe that the private right of action is limited to suits alleging a breach of personal information, apparently some plaintiffs are not shying away from attempting to use the CCPA to support other litigation.  How the California courts handle such lawsuits will be instructive to businesses who collect personal information from California residents.
Continue Reading Zoom Faces Class Action Complaints Alleging CCPA Violations