Business Litigation Alert

Business Litigation Alert

Practical Perspectives on Litigation Developments & Trends

Third Circuit Holds That Challenges to the Validity of a Contract Containing an Arbitration Provision Can Only Be Adjudicated by the Arbitrator

Posted in General Litigation

In a recent precedential decision, South Jersey Sanitation Co., Inc. v. Applied Underwriters Captive Risk Assurance Co., Inc., the Third Circuit held that although arbitration agreements may be invalidated by generally applicable contract defenses, like fraud, in order for the court to decide the issue, the challenge “must focus exclusively on the arbitration provision, rather than on the contract as a whole.” “If the challenge encompasses the contract as a whole, the validity of that contract, like all other disputes arising under the contract, is a matter for the arbitrator to decide.”

In South Jersey Sanitation, the dispute arose after South Jersey refused to pay premiums allegedly owed pursuant to a Reinsurance Placement Agreement (“RPA”), which contained an arbitration provision stating that any disputes arising under the contract will be arbitrated. South Jersey initially filed a complaint in the New Jersey Superior Court, seeking declaratory relief and rescission of the RPA on several grounds, including fraud, intentional misrepresentation, and illegality. In response, Applied Underwriters filed a motion to compel arbitration in accordance with the Federal Arbitration Act (“FAA”). The District Court denied Applied Underwriters’ motion to compel arbitration, on the ground that Nebraska law – the choice of law stipulated in the RPA – rendered unenforceable all arbitration provisions concerning or relating to an insurance policy.

Continue Reading

New Jersey Federal Court Relies on Spokeo to Dismiss FACTA Class Action For Failure to Allege Concrete Harm

Posted in Class Action Defense

The U.S. District Court for the District of New Jersey recently relied on the U.S. Supreme Court’s opinion in Spokeo v. Robins to grant a Rule 12(b)(1) motion to dismiss a statutory violation-based class action complaint for failure to allege a concrete injury. In Kamal v. J. Crew Group Inc., et al. the Court concluded that the plaintiff lacked standing to sue under the Fair and Accurate Credit Transactions Act (“FACTA”) because, as in Spokeo, the claims were based on a purely statutory injury, i.e., the plaintiff did not allege a “concrete and particularized” injury.

The plaintiff brought suit against J. Crew under FACTA by claiming that J. Crew’s credit card receipts improperly truncated his credit card number, as the receipts included the last four digits and first six digits of his account, rather than the last five digits only as permitted under FACTA. J. Crew moved to dismiss for failure to state a claim under Rule 12(b)(6), but the District Court denied the motion and then stayed the action to await the Supreme Court’s decision in Spokeo, which presented the issue of whether a claim of statutory damages is sufficient to confer injury in fact for standing to sue. In Spokeo, the Supreme Court affirmed the “injury-in-fact” requirement for standing, reiterating that an injury must be both “concrete and particularized.” For a thorough discussion of the Court’s holding in Spokeo, please visit our prior blogs here and here.

Continue Reading

11th Circuit’s Stay Suggests that the FTC’s Final Order Against LabMD May Itself be “Unfair” and “Unreasonable”

Posted in Appellate, General Litigation

As reported on this blog on September 27, 2016, the FTC issued a Final Order holding that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n). The findings were a clear signal of the FTC’s expanding efforts to regulate data security and to incentivize companies handling sensitive data to implement and maintain strong data security practices. On Thursday, November 10, 2016, the 11th Circuit stayed enforcement of the FTC’s Final Order pending a full hearing and final decision on LabMD’s appeal, and called into question the validity of the FTC’s conclusions as to what may constitute an actionable “privacy harm” following a data security breach.

The FTC’s Final Order was viewed as a significant development in privacy law because the FTC concluded a “substantial injury” existed – and sanctions were appropriate – without any evidence of actual economic harm or physical injury, or any actual health or safety risks as a result of the data security breach. However, according to the 11th Circuit, the FTC’s conclusions raise “a serious legal question” justifying a stay pending resolution of the appeal for several reasons. First, the appeals court stated, “it is not clear that a reasonable interpretation of §45(n) includes intangible harms like those that the FTC found.” Second, it is not clear it was reasonable for the FTC to conclude that the data breach was “likely to cause substantial injury to consumers” in light of the actual scope of the breach and resulting “disclosure”. Third, the court concluded that the costs of complying with the FTC’s Final Order would cause LabMD irreparable injury because, if LabMD ultimately prevailed on appeal, the costs of compliance could not be recovered later given the FTC’s sovereign immunity. Finally, the court concluded that there would be no injury to other parties as a result of the stay.

While the 11th Circuit’s recent opinion is not the final word from the court on the various issues presented by LabMD’s appeal on the merits, it is clear that the court has some doubt as to whether the FTC was within its authority to enforce the FTC Act based upon perceived “intangible harms” and a low likelihood of any future harm. Stay tuned to this blog for future developments.

John T. Wolak is a Director in the Gibbons Business & Commercial Litigation Department.

Believe It or Not: Computer Fraud Coverage May Not Cover Fraud Involving a Computer

Posted in Insurance

Is a commercial policyholder able to get insurance under the terms of its computer fraud coverage (typically offered as part of a crime policy) for a fraud based upon information transmitted by email? Not according to the Fifth Circuit’s recent decision in Apache Corporation v. Great American Insurance Company, which vacated the trial court’s judgment and left the policyholder with a $2.4 million uninsured loss. While the opinion is unpublished and therefore should have limited precedential value, it highlights the importance of reviewing your company’s coverage profile in an effort to close potential gaps in insurance coverage for security breaches and other losses involving computer use.

Apache Corporation (“Apache”) received a phone call from an individual purporting to be a representative of Petrofac, one of Apache’s legitimate vendors. The caller instructed Apache to change the bank account for all future payments to Petrofac but was advised that the change could not be processed without a formal request on Petrofac letterhead. A week later, Apache’s accounts-payable department received an email from an address at “petrofacltd.com” (Petrofac’s authentic email domain was petrofac.com) stating that all Petrofac bank accounts had been changed, and the new account information was effective immediately. The email included as an attachment a signed letter on Petrofac letterhead providing both old bank account information and a new bank account, with instructions to “use the new account with immediate effect.” To verify the requested change, an Apache employee called the telephone number provided on the letterhead and “confirmed” the authenticity of the request. The change was then implemented, and over the next several weeks, Apache transferred approximately $7 million to the “new” account in payment of Petrofac’s legitimate invoices.
Continue Reading

Regulations Proposed by NY Department of Financial Services are a Significant Development for Regulated Entities … and Everyone Else

Posted in Data Privacy & Security, E-Discovery

On September 13, 2016, New York Governor Andrew M. Cuomo announced new first-in-the-nation proposed regulations to protect against the ever growing threat of cyber-attacks in the financial services industry.

The proposed regulations, to be enforced by the New York State Department of Financial Services, would apply only to an entity regulated by the NY Department of Financial Services – from a multi-national bank to a “mom-and-pop” operation. However, the regulations are important for all companies to review and consider, regardless of their location or scope of operations, because the proposal represents an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
Continue Reading

Third Circuit Sets Framework for Numerosity Inquiry and Lists Factors to Consider When Determining “Whether Joinder would be Impracticable” Under Rule 23(a)(1)

Posted in Class Action Defense

One of the prerequisites for class certification under Rule 23(a) is that “the class is so numerous that joinder of all members is impracticable,” which is commonly referred to as the “numerosity” requirement. Notably, Rule 23(a)(1) is “conspicuously devoid of any numerical minimum required for class certification.” For the first time, the Third Circuit has “provide[d] a framework for district courts to apply when conducting their numerosity analyses” in a recent precedential opinion. Defendants opposing class certification must be aware of this framework, particularly since numerosity is an often overlooked prerequisite yet may provide ample grounds for defeating certification in certain actions.

In the underlying lawsuit, In re Modafinil Antitrust Litigation, the District Court certified a class of 22 direct purchasers of a pharmaceutical drug who alleged a global conspiracy between the brand manufacturer and generic drug manufacturers in violation of various antitrust laws. In considering whether joinder was “impracticable,” the District Court considered the following factors: “(1) judicial economy, (2) geographic dispersion, (3) financial resources of class members, (4) the claimant’s ability to institute individual suits, and (5) requests for injunctive relief that could affect future class members.”

Continue Reading

Eighth Circuit Relies on Spokeo to Hold That Retention of Personal Information, Without More, Does Not Satisfy Article III’s Injury-in-Fact Requirement

Posted in Class Action Defense

The United States Supreme Court decision in Spokeo v. Robins, in which the Court considered whether a claim of statutory damages was sufficient to confer Article III standing, left much to be desired in terms of guidance for lower courts and litigants. Nonetheless, the Eighth Circuit’s recent refusal to revive a putative class action over Charter Communications Inc.’s allegedly indefinite retention of consumer data illuminated a way for defendants to trim claims of bare statutory violations, while clarifying how Spokeo should be applied.

In the published decision of Braitberg v. Charter Communs., Inc., the plaintiff alleged on behalf of himself and a putative class that Charter had indefinitely retained his personally identifiable information in violation of the Cable Communications Policy Act. Braitberg claimed that Charter’s failure to destroy customers’ personal information injured him and the proposed class members in two ways. First, he alleged a “direct invasion of their federally protected privacy rights.” Second, he claimed that Charter allegedly deprived him and the class of the full value of the services they purchased from Charter, and ascribed a monetary value to controlling their personal information. The Eastern District of Missouri granted Charter’s motion to dismiss for lack of Article III standing, and the Eighth Circuit stayed its decision pending the outcome of Spokeo.

Continue Reading

Applying Federal Common Law, Third Circuit Approves Assignment, Without Consideration, of Antitrust Claims from Direct Purchaser to Indirect Purchaser

Posted in Antitrust

In a recent precedential opinion in a case of first impression, the Third Circuit held that a written, express assignment of federal antitrust claims is valid even though no consideration is exchanged between the assignee and assignor. In doing so, the Third Circuit revived a putative class action by an indirect purchaser whose complaint had been dismissed by the District of Delaware for lack of standing under Illinois Brick.

In Wallach v. Eaton Corp., the plaintiff alleged the existence of an antitrust conspiracy among a dominant truck part manufacturer and certain downstream original equipment manufacturers (“OEMs”), which build trucks using the parts purchased from the manufacturer. The plaintiff acquired a truck built by an OEM allegedly involved in the conspiracy, but it did not purchase the truck directly from the OEM. Instead, it purchased the truck from an intermediary, which had acquired the truck directly from one of the conspiring OEMs.

Continue Reading

The FTC Confirms That Mere Disclosure of Health Information is a “Substantial Injury” Justifying Sanctions for “Unreasonable” Data Security Practices

Posted in General Litigation

The Federal Trade Commission (“FTC” or “the Commission”) recently confirmed that disclosure of sensitive consumer data as a result of inappropriate data security practices may be deemed an “unfair act or practice” in violation of the Federal Trade Commission Act (“FTC Act”). This decision is important because the FTC reached this conclusion with no evidence of actual economic or physical harm, or any actual health and safety risks as a result of the disclosure. The Commission’s decision is also notable because it emphasizes the FTC’s expanding reach in the regulation of data security.

In I/M/O LabMD, Inc., the Commission reversed an Administrative Law Judge’s Order, and concluded that LabMD had violated the FTC Act because its data security practices had caused, and were also likely to cause, substantial consumer injury, including identity theft, medical identity theft, and other harms.

The decision stemmed from allegations that LabMD, which operated as a clinical laboratory testing center, failed to protect patients’ sensitive personal information, including names, addresses, dates of birth, Social Security numbers, insurance information, diagnosis codes, and physician orders for tests and services. Specifically, the Commission found that LabMD failed to use file integrity monitoring, neglected to monitor traffic coming across its firewalls, failed to have an intrusion detection system, provided essentially no data security training to its employees, and never deleted any of the consumer data it had collected. These data security failures allowed an employee to install and maintain file-sharing software on a work-related computer for a period of at least three years. The file-sharing software was configured (unwittingly) to allow exposure of patient information on a peer-to-peer network accessible daily by millions of users. However, the only documented disclosure of patient information that occurred was a single “breach” by a data security firm looking to generate new business, who had used the peer-to-peer network to access a file containing sensitive data for approximately 9,300 individuals.

Continue Reading

In Suit Alleging Misleading Employment Rates, Third Circuit Rejects Class Certification Premised Upon Invalid Damages Theory

Posted in Class Action Defense

The Third Circuit recently affirmed a decision from the District Court of New Jersey denying class certification in an action alleging that Widener University School of Law defrauded its students by publishing and marketing misleading statistics about graduates’ employment rates. In its precedential opinion adjudicating plaintiffs’ interlocutory appeal pursuant to Fed. R. Civ. P. 23(f), the Third Circuit concluded that although the District Court misconstrued plaintiffs’ damages theory, the error was harmless because the Court would have nonetheless concluded that plaintiffs failed to satisfy the predominance requirement. This opinion, authored by Circuit Judge Chagares, is an example of defendants defeating class certification when plaintiffs cannot proffer a valid method of proving class-wide damages, as required by the U.S. Supreme Court in Comcast v. Behrend several years ago.

By way of background, plaintiffs were graduates of Widener Law who alleged that the school violated the New Jersey Consumer Fraud Act (“NJCFA”) and the Delaware Consumer Fraud Act (“DCFA”) by advertising misleading statistics about alumni employment rates; they claimed that the statistics included non-legal and part-time positions without categorical break down, thereby causing students to believe that the statistics were for full-time legal employment. Plaintiffs alleged that the misleading statistics allowed Widener Law to charge higher tuition than it would have received if the accurate statistics were marketed and published. Plaintiffs sought damages in the amount of overpaid tuition.

Continue Reading

Lexblog