Key Allegations:

• • Cybercriminal “USDoD” claimed to access and leak nearly 2.7 billion NPD records containing sensitive personal info like SSNs.
  • NPD allegedly collects personal data from various sources without subjects’ knowledge or consent to compile and sell access to.
  • Exposed data is already being leaked on hacker forums and the dark web where criminals can exploit it for identity theft and fraud.
  • NPD has not notified affected individuals or explained the cause of the breach and remedial measures taken.
  • Plaintiff and class face substantial risk of identity theft and must incur costs for credit monitoring, data removal, etc.

Why It Matters:

• • The vast number of people potentially impacted makes this one of the largest data breaches ever, affecting nearly 1 in 3 people globally.
  • Highlights risks of data brokers amassing huge troves of personal info, often without the subjects’ knowledge or ability to opt out.
  • Sensitive data like SSNs in criminal hands creates major identity theft and fraud risks that can haunt victims for years.
  • Even deceased people’s data was exposed, enabling criminals to commit “ghosting” fraud using their info.
  • Shows importance of strong data security and breach response, as Plaintiff alleges NPD’s failures enabled the breach and compounded harms.

Key Takeaways:

• • The colossal scale of personal data allegedly collected and exposed makes this case highly consequential for data privacy standards.
  • Breach illustrates the major risks of data brokers compiling mass databases of personal info without subjects’ knowledge or consent.
  • Underscores importance of robust data security measures and breach notification/remediation to protect people’s sensitive info.
  • Shows how breaches can have ripple effects, with this data resurfacing on dark web and hacker sites where it can be exploited.
  • Will be closely watched for court’s analysis of company’s legal duties re: data security and standing for massive class actions.

Elements Explained – Selected Claims:

• • Negligence Per Se: Must show: 1) NPD violated a statute/reg (like FTC Act section 5 here); 2) The violation proximately caused the injury; 3) Plaintiff is in class of persons statute intended to protect; 4) Injury is type statute aimed to prevent.
  • Unjust Enrichment: Requires: 1) NPD received benefit ($$ for PII); 2) at Plaintiff’s expense (his PII used); 3) under circumstances making it unjust for NPD to retain the benefit without paying.
  • Breach of Implied Contract: An implied agreement can arise from parties’ conduct, here NPD collecting PII in exchange for an implied promise to safeguard it. Elements: 1) Plaintiff provided PII to NPD; 2) NPD failed to reasonably protect it.
  • CA Consumer Legal Remedies Act:Prohibits “unfair methods of competition and unfair or deceptive acts or practices.” NPD’s collection and poor security of PII without disclosing breach risks could be unfair/deceptive practice.
  • CA Unfair Competition Law: Forbids any “unlawful, unfair or fraudulent business act.” NPD’s inadequate data security and misrepresentations about security could violate the UCL.

How Laws Apply:

• • NPD likely had legal duty to use reasonable data security measures, so its apparent failure to do so could be negligence.
  • If NPD violated Section 5 of the FTC Act by misrepresenting its security practices, that could be negligence per se.
  • By profiting off of selling access to Plaintiff’s PII yet failing to protect it as impliedly agreed, NPD may be unjustly enriched.
  • If NPD contracted with third parties to properly secure data and didn’t, it could have breached those agreements, harming intended beneficiary Plaintiff.
  • If NPD omitted known data breach risks when collecting PII, that could be an unlawful/unfair practice under the UCL and CLRA.

What to Watch:

• • Which claims survive the pleadings stage and NPD’s likely motion to dismiss certain causes of action.
  • The court’s analysis of NPD’s specific legal duties regarding data security as a data broker and whether they were breached.
  • If the court finds Plaintiff has properly pled the elements of each claim based on NPD’s alleged conduct.
  • How the court construes and applies California’s UCL and CLRA to data privacy issues like improper PII collection and security failures.
  • The scope of damages available if Plaintiff’s claims succeed, from restitution to injunctive relief mandating security improvements.

Examples from Complaint:

• • Plaintiff and class must spend $355-395/year to automate data removal requests to get their PII off data broker sites after the breach.
  • $200/year for credit monitoring services and $180/year for dark web scanning to detect and prevent identity theft post-breach.
  • PII has lost value now that it’s been released and is no longer private – data like SSNs previously worth $40-363 per record.
  • Lost time value for hours spent dealing with breach aftermath, like reviewing accounts, disputing fraudulent activity, etc.
  • Breach inflicted stress, nuisance, annoyance, and lost productivity that can be compensated as general damages.

Legal Standards:

• • To recover actual damages, Plaintiff must prove losses with reasonable certainty, though exact precision isn’t required.
  • “Benefit of the bargain” compensation puts Plaintiff in position he’d be in had NPD upheld its end of the deal to protect data.
  • Plaintiff doesn’t need to show actual identity theft/fraud to get damages – exposure to increased risk can be injury.
  • Court can grant injunction if Plaintiff shows: 1) Likelihood of success; 2) Irreparable harm; 3) Balance of hardships favors Plaintiff; 4) Injunction serves public interest.
  • For punitives, Plaintiff must show oppression, fraud or malice by clear and convincing evidence.

Factors to Watch:

• • Can Plaintiff prove class members suffered real, non-speculative harm despite no claims of actual identity theft so far?
  • How will court quantify hard-to-measure damages like emotional distress, lost PII value, and annoyance?
  • Will benefit of the bargain damages apply in an implied contract where Plaintiff never directly dealt with NPD?
  • Can Plaintiff show likelihood of future harm and inadequate legal remedies to warrant an injunction?
  • Does NPD’s conduct in allegedly misusing PII and hiding breach risks rise to level deserving of punitive damages?

Broader Impacts:

• • Case could set precedent for legal remedies available in future data broker breach cases.
  • Plaintiff victory may open floodgates to more class actions against data aggregators, increasing their litigation risk.
  • Security upgrades and reforms that result could become de facto industry standards.
  • Court rulings will clarify scope of implied contracts between data subjects and brokers and when they are breached.
  • Case brings attention to largely unregulated data broker industry and may spur calls for targeted privacy legislation.

Key Questions:

• • Will the unprecedented scale of the class and PII at issue make the court more or less inclined to certify the class?
  • How will the court deal with potential variations in state law for a nationwide class asserting some state law claims?
  • What level of culpability does NPD need to have shown regarding the breach to warrant the remedies sought?
  • How much weight will the court give FTC data security standards in assessing NPD’s duty of care and alleged negligence?
  • If NPD is hit with a huge damages verdict, will it drive smaller data brokers out of business or spur consolidation?

Potential Outcomes:

• • Court certifies a class, Plaintiff wins on key claims, and NPD pays massive damages and enacts major security improvements.
  • Court substantially narrows the class or dismisses some claims, reducing NPD’s exposure and weakening precedent.
  • Parties reach a settlement where NPD pays a smaller sum and agrees to moderate security upgrades and reforms.
  • NPD succeeds in compelling arbitration and avoiding court, minimizing potential class-wide liability.
  • Court splits the difference with a modest class-wide award and declaratory judgment on data broker duties without injunction.

Questions:

• • 1. What must a plaintiff show to have standing to sue over a data breach?
    • A) The plaintiff’s data was definitely stolen and misused
    • B) Evidence of falsified accounts or ID theft in the plaintiff’s name
    • C) A concrete injury or substantial risk of imminent harm
    • D) Actual financial losses like fraudulent credit card charges
  • 2. What factor tends to demonstrate a company’s negligence in a data breach?
    • A) The company used industry-standard encryption protocols
    • B) It trained employees annually on data security
    • C) It failed to patch a known vulnerability
    • D) It notified affected consumers within 30 days
  • 3. What’s a common damages theory asserted in breach litigation?
    • A) Trespass to chattels
    • B) Breach of the implied warranty of merchantability
    • C) Violation of the covenant of good faith and fair dealing
    • D) Unjust enrichment
  • 4. Which law has the FTC used to set data security standards?
    • A) The Fair Credit Reporting Act
    • B) Section 5 of the FTC Act
    • C) The Gramm-Leach-Bliley Act
    • D) The Computer Fraud and Abuse Act
  • 5. What’s a hurdle for data breach class actions?
    • A) Satisfying Rule 23(a)’s typicality requirement
    • B) Showing classwide proof of actual harm
    • C) Overcoming potential arbitration clauses
    • D) All of the above

Answers:

• • 1. C) Courts have held a data breach plaintiff has standing by plausibly alleging the breach caused actual, concrete injury OR substantial risk of imminent harm, even without proven misuse of their data yet.
  • 2. C) Failing to patch a known security vulnerability that enables a breach can demonstrate negligence, while using proper encryption, training, and notification protocols tends to show reasonable care.
  • 3. D) Unjust enrichment is a common quasi-contract claim in data breach cases, arguing it would be inequitable for the company to retain benefits obtained from the plaintiff’s data if it failed to secure that data as promised.
  • 4. B) The FTC has used its authority under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices,” to bring enforcement actions over inadequate corporate data security measures.
  • 5. D) Data breach class actions can face multiple certification hurdles, including showing the class rep’s claims are typical, that common issues predominate over individual ones, and that the case should stay in court rather than be compelled to arbitration.