HOW VIABLE IS THE PROSPECT OF ENFORCEMENT OF PRIVACY RIGHTS IN THE AGE OF BIG DATA? AN OVERVIEW OF TRENDS AND DEVELOPMENTS IN CONSUMER PRIVACY CLASS ACTIONS

By Matthew George¹

I. INTRODUCTION AND OVERVIEW

A nationwide retailer is hacked and account numbers for millions of customers hit the black market for criminals to use to commit fraud. A hospital leaks its patients’ medical records on the Internet and reveals their diagnoses. Social media users learn companies are harvesting their private messages for data to sell them products. Each of these scenarios has become increasingly common news in the digital age of big data.

So where does that leave consumers when their personal information is exposed or misused? What recourse, if any, do they have in court when their privacy has been violated? While there are some laws that provide guidance on how personal information must be secured, many provide no private cause of action to consumers when their data is actually exposed. And, courts have dismissed many privacy cases at the pleading stage by rejecting plaintiffs’ theories equating the loss or exposure of personal data with monetary harm—despite the undisputed fact that personal information is valuable to the companies that hold it and the criminals who want it.²

While difficult, private enforcement of consumer privacy in the age of big data is not a lost cause. As discussed below, plaintiffs have had some success testing the application of traditional legal principles (like standing) to this developing practice area and there are many state and federal statutes that can provide relief to consumers when their privacy is violated. This article explores some of the key claims and legal issues that have emerged in recent lawsuits brought over consumer privacy issues, particularly in the context of customer account data, medical information, and electronic communications.

II. GETTING THROUGH THE COURTHOUSE DOORS – ARTICLE III STANDING AND DATA BREACHES

One of the biggest hurdles plaintiffs face asserting claims arising from data breaches is demonstrating Article III standing. As a threshold issue, standing is an "indispensable part of a plaintiff’s case" that requires plaintiffs to allege injury-in-fact, causation, and

[Page 195]

redressability tied to the defendant’s conduct.³ Because many data breaches do not necessarily result in immediate financial damages, some plaintiffs have encountered difficulty pleading alternate injury theories that satisfy Article III.

A. Early Privacy Breach Cases Find the Loss of Personal Data Confers Standing

Given the lack of precedent in early data breach cases, courts were presented with the novel question of whether plaintiffs had standing when their account data was exposed. The Seventh and Ninth Circuits initially agreed that plaintiffs, whose personal data was stolen, could sufficiently allege injury-in-fact because of the threat of future harm from the exposure of their personal information.⁴ However, the courts still affirmed dismissals of plaintiffs’ claims because they found their requests for credit monitoring or mitigation damages were insufficient to support the claims alleged.

The First Circuit viewed mitigation damages differently, finding that the purchase of credit monitoring services in response to a data breach was recoverable damage so long as it was reasonable.⁵ The First Circuit noted its finding was factually distinguishable from that of other courts because the plaintiffs before it had already experienced fraudulent charges as a result of the breach. In other cases where personal data has been lost or misplaced but not necessarily stolen or misused, mitigation damages have been deemed unreasonable because the courts found the threat of identity theft was too tenuous or unlikely.⁶

B. The Supreme Court’s 2013 Clapper v. Amnesty International Decision Builds a New Barrier for Plaintiffs to Demonstrate Standing

The Supreme Court’s 2013 examination of Article III standing in Clapper v. Amnesty International⁷ has provided defendants in privacy-related cases with new authority to defeat claims premised on the loss or misuse of personal information.

[Page 196]

In Clapper, the plaintiffs claimed that their constitutional rights were violated by the government’s activities under the Foreign Intelligence Surveillance Act. The plaintiffs were a group of lawyers, activists, and journalists who engaged in international communications with persons who could have potentially been targeted by government surveillance for national security reasons. As a result of the government’s surveillance programs, plaintiffs alleged that the risk of surveillance was "so substantial that they ha[d] been forced to take costly and burdensome measures to protect the confidentiality of their international communications" and the threat of surveillance would force them to pay for unnecessary "travel abroad in order to have in-person conversations."⁸

The Supreme Court agreed with the government that plaintiffs had not demonstrated injury-in-fact to confer standing because the plaintiffs’ "threatened injury" was not "certainly impending."⁹ The Court viewed the possible injuries as too attenuated, and declared that Article III standing is not "fanciful, paranoid, or otherwise unreasonable,"¹⁰ and that plaintiffs could not "manufacture standing merely by inflicting harm on themselves based on fears of hypothetical harm."¹¹ The Court’s ruling effectively meant that plaintiffs would only have been able to demonstrate standing if in fact they could have shown their communications were under surveillance, or that their sources were specific targets of the government’s spying—a burden that would be nearly impossible to show given the secrecy of the government’s security program.

Although it was not a consumer privacy case, Clapper has influenced a number of federal courts considering standing issues in recent data breach cases. Following the Clapper decision, some courts have taken a harder stance that merely the risk of future harm arising from the loss or exposure of personal data is insufficient to allege injury-in-fact.

For example, in In re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, personal information of U.S. military veterans had been stored on a computer that was stolen from a SAIC employee’s car.¹² The plaintiffs argued they had suffered injury from the loss of privacy, the lost value of their personal and medical information, and the costs of monitoring their privacy. The court found these injuries too remote, stating that it was "highly unlikely that the crook even understood what the tapes were . . . [a]nd until Plaintiffs can aver that their records have been viewed (or certainly will be viewed), any harm to their privacy remains speculative."¹³ Because it appeared that the plaintiffs’ information was not the target of the criminal activity, the court found the risk was not substantial enough absent proof of some unauthorized use.

[Page 197]

Several other courts have relied on Clapper to find that plaintiffs have no actionable injuries arising from privacy violations and data breaches.¹⁴ They generally state that plaintiffs must prove not only that their information has been compromised, but also that it has resulted in tangible, economic injuries, and mitigation costs (like credit monitoring) are not always recognized as sufficient.¹⁵ Courts have also disagreed with plaintiffs who argued they were damaged by having their data exposed through a diminution in value theory unless they also alleged that they planned to sell their personal data.¹⁶ One court also rejected plaintiffs’ statistical evidence that a data breach increased their risk of identity fraud—the "[n]amed Plaintiffs have alleged less than a 20% chance of being victimized by identity theft, identity fraud, medical fraud, or phishing, which does not create a substantial risk given the uncertainties in third party action required to produce harm here."¹⁷ Without allegations of monetary damages, courts following Clapper have considered plaintiffs’ fears of future identity theft as paranoid, unlikely, and "contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendant."¹⁸ Under this line of reasoning, proven identity theft or a fraudulent unreimbursed charge on a plaintiff’s credit card may be the only harm some courts will deem sufficient to allege injury and confer standing.¹⁹

While Clapper is a powerful tool for defendants to successfully argue motions to dismiss for lack of standing, as explored below, some courts have distinguished Clapper and found alternate avenues for plaintiffs to move forward with their claims.

[Page 198]

C. Different Views of Standing in Data Breach Cases Emerge After Clapper

Prior to Clapper, a number of cases in the consumer privacy context, particularly those in the Ninth Circuit, held that plaintiffs had standing when their personal information had been wrongfully disclosed.²⁰ Since Clapper, additional opinions have rejected defendants’ arguments that Clapper dooms plaintiffs’ claims when their information privacy has been breached. For example, in In re Sony Gaming Networks and Customer Data Security Breach Litigation,²¹ hackers had obtained customers’ personal information, including their addresses, dates of birth, credit card information, and login credentials, but the plaintiffs did not have unauthorized charges to their accounts. The court still found the exposure constituted sufficient injury-in-fact, and reasoned that the Clapper decision did not create a new threshold standard for Article III standing. The court stated:

[T]he Supreme Court’s decision in Clapper did not set forth a new Article III framework, nor did the Supreme Court’s decision overrule previous precedent requiring that the harm be "real and immediate." To the contrary, the Supreme Court’s decision in Clapper simply reiterated an already well-established framework for assessing whether a plaintiff had sufficiently alleged an "injury-in-fact" for purposes of establishing Article III standing.²²

Plaintiffs also survived Clapper-based challenges in a proposed class action arising from Adobe’s 2013 data breach. In the Adobe case, the court articulated that "to require Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be ‘literally certain’ in order to constitute injury-in-fact."²³ The court also agreed that, unlike in other data breach cases where claims were dismissed, here the plaintiffs’ data had been stolen by criminals, which logically meant it was likely to cause them harm—"[A]fter all, why would hackers target and steal personal customer data if not to misuse it?"²⁴

At least one district court outside the Ninth Circuit has reached a similar conclusion, finding that Clapper did not create new standing requirements particularly given the differences between the constitutional issues at play in Clapper and those in traditional consumer privacy cases:

[Page 199]

I respectfully disagree with my colleagues that Clapper should be read to overrule Pisciotta‘s holding that an elevated risk of identity theft is a cognizable injury-in-fact. . . . The extent to which Clapper’s admittedly rigorous standing analysis should apply in a case that presents neither national security nor constitutional issues is an open question.²⁵

In that case, credit and debit information had been stolen through the retail store’s computers, but no identity thefts were alleged to have resulted. The court ultimately dismissed the claims because they did not meet other statutory requirements, but took the time to point out that the Supreme Court’s recent Susan B. Anthony List decision catalogued a "myriad [of] circumstances" in which the risk of future harm could be established so long as it is credible and non-speculative.²⁶

Another recent opinion resulting from Target’s massive 2013 data breach also rejected the defendant’s standing arguments. In In re Target Corporation Customer Data Security Breach Litigation, hackers had stolen customers’ account data from in-store purchase transactions.²⁷ Some customers had alleged experiencing actual fraud on their accounts, while others had only alleged they were injured by having to change account information, pay associated fees, and incur late payment fees resulting from the inability to access their accounts. Target argued that the plaintiffs lacked standing because they had not alleged their expenses were unreimbursed or stated whether they had to close their bank accounts. The court disagreed, holding that Target’s arguments "gloss[ed] over the actual allegations made and set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage. . . . Should discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue."²⁸

Even with some recent decisions rejecting the application of Clapper to consumer privacy claims, ultimately, the facts of the case and evidence that fraud or identity theft has occurred as the result of a privacy breach will bolster the plaintiffs’ claims when courts analyze that ruling at the pleading stage. And, the likelihood of identity theft can be elevated by concrete evidence—such as the presence of a plaintiff’s data in criminal possession or evidence that it has already been misused to open phony credit card accounts or to make fraudulent charges.

III. STATE AND FEDERAL STATUTES PERMIT THE PRIVATE ENFORCEMENT OF CONSUMER PRIVACY

While plaintiffs face a substantial risk of having their claims dismissed if they are unable to allege monetary damages as a result of a privacy violation or data breach, there may be statutory claims that permit private enforcement of their rights depending on the type of privacy breach, particularly those involving account information, medical records, or electronic communications.

[Page 200]

A. Private Enforcement Under "Data Breach Notification" and Consumer Protection Laws

Data breaches involving credit and debit cards have been increasing in recent years and, while no federal statute exists to dictate how businesses must respond, nearly all states have enacted so-called "data breach notification" laws that may be used to enforce consumers’ rights.²⁹ For example, in California, a business that suffers a data breach must notify owners of the data "immediately following discovery" of the unauthorized access.³⁰ It also requires that the notification be in plain language, identify the information possibly subject to the breach, and provide contact information for credit reporting agencies. The law was recently amended to also require businesses that offer free credit monitoring as a remedy for a breach to offer it for a full year. Remedies available under California’s statute include damages and injunctive relief—which may require defendants to implement reasonable security standards to prevent additional breaches.

Plaintiffs affected by data breaches can also shoehorn their data breach notification claims into enforcement actions under general consumer protection and unfair competition laws.³¹ And, if there was a product purchased that required the defendant to maintain personal information, plaintiffs may plead claims based on a loss in value of the product or service they purchased.³² For example, in In re Sony, consumers alleged that they had paid a higher price due to representations that Sony’s security systems would protect their information. The court agreed that at least for the California consumer claims, the statutes allow for broad bases for damages: "[T]o the extent a consumer has ‘paid more for a product than he or she otherwise might have been willing to pay if the product had been labeled accurately,’ the consumer has lost money or property . . . ."³³

B. Private Enforcement to Protect Medical Information

In addition to data breaches involving financial account information, instances of loss of medical information have also been on the rise in the last few years. One study indicated that over twenty-nine million patient records had been breached since 2009, and that between 2012 and 2014 medical data breaches increased by 138%.³⁴ This is particularly alarming because health information can be more valuable to criminals than

[Page 201]

financial information if they obtain medical services assuming someone else’s identity and file false insurance claims.³⁵

Medical privacy is regulated on federal and state levels. The federal regime—the Health Information Privacy Assurance Act ("HIPAA")—regulates the use and disclosure of personal health information ("PHI") by covered entities, such as medical providers, insurance companies, and their business associates, but it does not provide patients a private cause of action against hospitals or health care providers when they lose or improperly disclose their medication information.³⁶

HIPAA’s regulations are divided into three parts: the Privacy Rule, the Security Rule, and the Enforcement Rule. The Privacy Rule encompasses several requirements, including that PHI will only be shared to the minimum extent necessary to achieve the purposes of disclosure.³⁷ The Security Rule enumerates specific safeguards for physical and technological records.³⁸ The Enforcement Rule permits the Department of Health and Human Services ("DHHS") to regulate inadequate privacy practices, and patient complaints for breaches must be handled through the DHHS Office of Civil Rights.³⁹ However, it is rare for the DHHS to enforce HIPAA through fines—although in 2011, it fined UCLA Hospital over complaints that employees were looking at celebrity patients’ medical records.⁴⁰

Some state laws also provide private enforcement mechanisms for breaches of medical privacy. In California, the Confidentiality in Medical Information Act ("CMIA") contains both public and private enforcement provisions.⁴¹ It permits private suits against medical providers for actual damages and nominal statutory damages of $1,000 for negligent releases of medical information—even when no harm has been proven. This creates a significant enforcement angle for medical privacy breaches in California, and could subject hospitals or health maintenance organizations violating the law to significant damages.

Despite the private enforcement mechanisms in the CMIA, plaintiffs may still have a tough time in court. Recent decisions have held that the loss of medical data is not sufficient to plead a claim in the absence of proof that the data was viewed or misused by an unauthorized person.⁴² For example, in the circumstance where a laptop containing

[Page 202]

medical data was stolen, it was not sufficient to plead a claim simply because the medical data was obtained by a criminal; "[b]ecause no one (except perhaps the thief) knows what happened to the encrypted external hard drive and the password for the encrypted information, [the plaintiff] cannot allege her medical records were, in fact, viewed by an unauthorized individual."⁴³ In another case where a thief had stolen a healthcare provider’s computer containing the medical records of about four million patients, a California appellate court stated that the CMIA "provides for liability for failing to ‘preserve[] the confidentiality’ of the medical records[;] . . . a plaintiff must allege a breach of confidentiality, not just a loss of possession."⁴⁴ Thus, absent evidence of identity theft or publication of the medical records, cases alleging breaches of medical privacy still have difficulty advancing past the pleading stage.

C. Email, Social Media, and Data Harvesting – Private Enforcement of Electronic Communications Privacy

Another growing area of privacy litigation involves claims against providers of web-based services (like email and search engines) and social media companies for data mining personal communications or tracking them on the Internet. These privacy cases differ from the data breach cases discussed above because they usually challenge some underlying business practice that intends to invade consumer privacy, rather than merely the loss of personal data that was held for operational purposes. Many plaintiffs are bringing suits under longstanding state and federal wiretap acts to challenge the increasing use of technology to understand consumer communications and behavior, which companies can then use for marketing and advertising.

On the federal level, the Electronic Communications Privacy Act ("ECPA") protects the privacy of wire, oral, and electronic communications, including email and instant messages.⁴⁵ The ECPA prohibits tampering with computer lines or using other technology to ascertain the contents of any message without the authorization of one party to the communication. Some states also have more restrictive wiretap laws that impact businesses that process electronic communications between consumers. For example, the California Invasion of Privacy Act ("CIPA") prohibits the interception of communications unless all parties consent.⁴⁶ California is one of many states to have such a requirement.⁴⁷ Many of these statutes provide private plaintiffs with rights to seek

[Page 203]

statutory damages and injunctive relief, and that is sufficient to confer statutory standing even though no actual damages can be attributed to the challenged conduct.⁴⁸

In recent cases brought under these statutes, the defendants typically do not dispute fault for the conduct alleged, but they can get the claims dismissed if they can show that the users of the service consented to the wiretapping of their communications or that the business has to intercept the communications to provide the service. For example, consumers recently challenged Google’s scanning and analysis of their emails for content that Google could use to build user profiles and sell premium advertisements.⁴⁹ At the motion to dismiss stage, Google argued its terms of service permitted it to scan its users’ email, but the court disagreed, finding that the "policies did not explicitly notify Plaintiffs that Google would intercept users’ emails for the purposes of creating user profiles or providing targeted advertising."⁵⁰ Similarly, the court rejected Google’s argument that the scanning was necessary to maintain the free email service because it found the company violated its own privacy policies and the advertising was not instrumental to the ability to send email messages.⁵¹

In contrast, Google prevailed against consumer plaintiffs alleging Google’s practice of using "cookies" to track their internet activity violated both the ECPA and CIPA.⁵² Plaintiffs argued their web browsing was personal information that had been intercepted without their consent. In granting Google’s motions to dismiss, the court explained that cookies are not "content" within the meaning of either statute because they are automatically generated and do not concern the contents or meaning of communications.⁵³ The decision is currently on appeal in the Third Circuit.

Consumers also recently challenged Facebook’s scanning of their private messages in order to send targeted advertisements.⁵⁴ Facebook argued that because the practice enabled it to make money, it fell within its ordinary course of business. In denying Facebook’s motion to dismiss, the court explained that an "electronic communications service provider cannot simply adopt any revenue-generating practice and deem it

[Page 204]

‘ordinary’ by its own subjective standard."⁵⁵ The court also found Facebook’s consent arguments inadequate because, similar to the Gmail case, even though its privacy policies mentioned scanning, they did not specifically encompass scanning message content to create targeted advertising, and any express or implied consent by users would have been deficient.

IV. CONCLUSION

Although there are significant challenges, lawsuits alleging consumer privacy violations are likely to increase as big data encompasses more aspects of people’s lives. Successful consumers have obtained settlement benefits like monetary compensation, free credit monitoring, and injunctive relief intended to reduce the risk of future privacy breaches. Even unsuccessful plaintiffs may positively influence corporate behavior by causing an increased investment in data security and compliance to limit the risk of future data breaches and lawsuits. Therefore, private enforcement of consumer privacy is an important tool to protect consumers’ rights in the age of big data.

[Page 205]

——–

Notes:

^1. Matthew George has advocated for employees and consumers for ten years, most recently as a partner at Girard Gibbs LLP. He has worked on lead counsel teams in class action privacy cases against Target, Adobe, Yahoo!, and Health Net, among others. He thanks his colleague Ashley Tveit for her assistance with the research and development of this article. The views expressed here are solely those of the author.

^2. Org. Econ. Cooperation & Dev., Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value (OECD Digital Econ. Papers, Paper No. 220, 2013), available at http://www.oecd-ilibrary.org/science-and-technology/exploring-the-economics-of-personal-data_5k486qtxldmq-en.

^3. Lujan v. Defenders of Wildlife, 504 U.S. 555, 561-61 (1992).

^4. See Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (explaining that employees alleged their personal information including social security numbers were wrongfully obtained when a laptop containing their personnel records was stolen); Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007) (explaining that consumers were impacted by hackers stealing information collected on bank’s website). But see Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008) (noting, without analysis, that the risk of future identity theft was somewhat "hypothetical" and "conjectural") (citing Daubenmire v. City of Columbus, 507 F.3d 383, 388 (6th Cir. 2007)).

^5. See Anderson v. Hannaford Bros. Co., 659 F.3d 151, 167 (1st Cir. 2011) (finding credit monitoring services where ID theft had occurred "recoverable as mitigation damages so long as they are reasonable").

^6. See, e.g., Willey v. J.P. Morgan Chase, N.A., No. 09 CIV. 1397(CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); McLoughlin v. People’s United Bank, Inc., No. CIVA 308CV-00944 VLB, 2009 WL 2843269 (D. Conn. Aug. 31, 2009); Shafran v. Harley-Davidson, Inc., No. 07 CIV. 01365 (GBD), 2008 WL 763177 (S.D.N.Y. Mar. 20, 2008).

^7. 133 S. Ct. 1138 (2013).

^8. Id. at 1145-46.

^9. Id. at 1147 (internal quotations omitted) (citation omitted).

^10. Id. at 1151 (internal quotations omitted) (citation omitted).

^11. Id.

^12. No. 12-347(JEB), 2014 WL 1858458, at *1 (D.D.C. May 9, 2014).

^13. Id. at *9.

^14. See, e.g., Yunker v. Pandora Media, Inc., No. 11-cv-03113 JSW, 2013 WL 1282980 (N.D. Cal. Mar. 26, 2013) (court dismissed plaintiffs’ claims alleging monetary loss arising from decrease in value of plaintiffs’ personal information and reduction of phone memory space as a result of Pandora’s application used to share personalized information with advertisers); In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013 WL 4159588 (N.D. Ill. Sept. 3, 2013) (court dismissed claims where only one plaintiff alleged she had experienced a fraudulent charge following a security breach at defendant’s stores, and the fraudulent charge did not result in actual monetary loss); Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871 (N.D. Ill. 2014) (court dismissed plaintiffs’ claims against computer security provider following cyber-attack on South Carolina Dept. of Revenue because despite cyber-attack, there was no actual proof data was stolen); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 654-55 (S.D. Ohio 2014) (court dismissed claims of plaintiffs alleging they had a 19% increased risk of experiencing fraud as a result of a computer hack on an insurance provider that resulted in the dissemination of their personal information, because the increased risk was only slight).

^15. See, e.g., Moyer v. Michaels Stores, Inc., No. 1:14-cv-00561, 2014 WL 3511500 (N.D. Ill., July 14, 2014).

^16. See Yunker, 2013 WL 1282980, at *5; In re Barnes & Noble Pin Pad Litig., 2013 WL 4759588, at *5 ($90 value of data on the black market did not create tangible injury unless plaintiffs had the ability to sell their data).

^17. Galaria, 998 F. Supp. 2d at 655 n.8.

^18. Strautins, 27 F. Supp. 3d at 876.

^19. See, e.g., In re Barnes & Noble Pin Pad Litig., 2013 WL 4759588, at *6 (although one plaintiff had experienced an attempted fraudulent charge on her card, it had not gone through; therefore, the court found her damages were insufficient to establish standing); see also In re Sci. Applications Int’l Corp., 2014 WL 1858458, at *13 (two plaintiffs’ claims survived a motion to dismiss because they had experienced identity theft that was plausibly linked to the security breach); Lambert, 517 F.3d at 437-38 (adequate injury alleged when plaintiff had tied actual identity theft to personal information posted on city defendant’s website).

^20. See, e.g., In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 711-12 (N.D. Cal. 2011) (finding plaintiffs’ allegations that their personal information was disclosed as opposed to just collected and retained by defendants sufficient for purposes of establishing Article III standing); Doe 1 v. AOL, LLC, 719 F. Supp. 2d 1102, 1108-09 (N.D. Cal. 2010) (finding plaintiffs’ allegations that their personal information was collected and then disclosed sufficient for purposes of establishing standing).

^21. 996 F. Supp. 2d 942 (S.D. Cal. 2014).

^22. In re Sony Gaming Networks, 996 F. Supp. 2d at 961.

^23. In re Adobe Systems, Inc. Privacy Litig., No. 5:13-cv-05226, 2014 WL 4379916, *8 (N.D. Cal. Sept. 4, 2014).

^24. Id. at *9.

^25. Moyer v. Michaels Stores, Inc., No. 1:14-cv-00561, 2014 WL 3511500, at *5 (N.D. Ill., July 14, 2014).

^26. Id. at *5 (citing Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2342-43 (2014)).

^27. No. 14-2522 (PAM/JJK), 2014 WL 7192478 (D. Minn. Dec. 18, 2014).

^28. Id. at *2.

^29. Katie W. Johnson, Survey Reveals Breaches Are Increasing, but Executives Feel Unprepared to Respond, Bloomberg BNA, Sept. 29, 2014, http://www.bna.com/survey-reveals-breaches-n17179895519. All states except Alabama, New Mexico, and South Dakota have enacted data breach notification statutes. Security Breach Notification Laws, Nat’l Conference of State Legislatures, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx (last visited Feb. 10, 2015). President Obama recently announced an attempt to pass a federal data breach notification law.

^30. Cal. Civ. Code § 1798.82(b).

^31. See, e.g., In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 985-92 (2014) (providing an example of plaintiffs surviving a motion to dismiss under California state consumer protection laws).

^32. Moyer v. Michaels Stores, Inc., No. 1:14-cv-00561, 2014 WL 3511500, at *5-6 (N.D. Ill. 2014).

^33. In re Sony, 996 F. Supp. at 987.

^34. Erin McCann, HIPAA Data Breaches Climb 138 Percent, Healthcare IT News, Feb. 6, 2014, http://www.healthcareitnews.com/news/hipaa-data-breaches-climb-138-percent.

^35. Caroline Humer & Jim Finkle, Your Medical Record Is Worth More to Hackers than Your Credit Card, reuters, Sept. 24, 2014, http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924.

^36. 45 C.F.R. pts. 160 & 164, subpts. A & E.

^37. 45 C.F.R. §§ 164.502(b), 164.514(d).

^38. 45 C.F.R. pts. 160 & 164, subpts. A & C.

^39. 45 C.F.R. pt. 79.

^40. Charles Ornstein, UCLA Health System Pays $865,000 to Settle Celebrity Privacy Allegations, ProPublica, July 7, 2011, http://www.propublica.org/article/ucla-health-system-pays-865000-to-settle-celebrity-privacy-allegations.

^41. Cal. Civ. Code §§ 56-56.16.

^42. See, e.g., Regents of Univ. of Cal. v. Superior Court, 220 Cal. App. 4th 549 (2013); Sutter Health v. Superior Court, 227 Cal. App. 4th 1546 (2014).

^43. Regents, 220 Cal. App. 4th at 570.

^44. Sutter Health, 227 Cal. App. 4th at 1557.

^45. 18 U.S.C. §§ 2510-2522.

^46. Cal. Penal Code §§ 630-638.

^47. Other states with all-party consent laws include Connecticut (Conn. Gen. Stat. §§ 53a-187, -189), Florida (Fla. Stat. § 934.03), Hawaii (Haw. Rev. Stat. §§ 803-41 to 803-48), Maryland (Md. Code Ann. § 10-402), Massachusetts (Mass. Gen. Laws ch. 272, § 99), Montana (Mont. Code Ann. § 45-8-213), New Hampshire (N.H. Rev. Stat. Ann. § 570-a:2), Pennsylvania (18 Pa. Cons. Stat. § 5704(4)), and Washington (Wash. Rev. Code § 9.73.030).

^48. See In re Google Inc. Gmail Litig., No. 5:13-MD-02430-LHK, 2013 WL 5423918, at *17 (N.D. Cal. Sept. 26, 2013) ("Therefore, the Court finds that the allegation of a violation of CIPA, like an allegation of the violation of the Wiretap Act, is sufficient to confer standing without any independent allegation of injury."); see also Steven Ades & Hart Woolery v. Omni Hotels Mgmt. Corp., No. 2:13-cv-02468, 2014 WL 4627271 (C.D. Cal. Sept. 8, 2014) (granting class certification for claims brought under CIPA because of a hotel reservation service recording phone conversations unannounced and without consent: "the only ‘harm’ required by § 637.2 ‘is the unauthorized recording’"); Cal. Penal Code § 637.2(c) ("It is not a necessary prerequisite to an action pursuant to this section that the plaintiff has suffered, or be threatened with, actual damages.").

^49. In re Google Inc. Gmail Litig., 2013 WL 5423918.

^50. Id. at *13.

^51. Id. at

^52. In re Google Inc. Cookie Placement Consumer Privacy Litig., 988 F. Supp. 2d 434 (D. Del. 2013).

^53. Id. at 444.

^54. Campbell v. Facebook, Inc., No. 4:13-cv-05996, 2014 WL 7336475 (N.D. Cal. Dec. 23, 2014).

^55. Id. at *7; see also See Kight v. CashCall, Inc., 200 Cal. App. 4th 1377, 1391 (2011) ("The statute . . . contains no exceptions applicable when a business monitors . . . even if the monitoring is for a legitimate business purpose."). However, some courts have allowed an exception for "service monitoring" under certain circumstances. See Sajfr v. BBG Commc’ns, Inc., No. 10-cv-2341 AJB(NLS), 2012 WL 398991, at *6 (S.D. Cal. Jan. 10, 2012) ("[I]t was not intended to prohibit ‘service-observing’ because the legislature deemed that practice to be in the public’s best interest.").