Move over robocop, there’s a new constable in town — the robocall cop. In the past decade, robocalls have surged. There has also been a dramatic rise in litigation about these calls under the Telephone Consumer Protection Act (TCPA). The TCPA litigation is led by a small group of serial litigators, people who have assumed the role of private enforcers of the TCPA. This is a fascinating story about how privacy law combats the growing scourge of robocalls. We are seeing the effective use of private litigation as an enforcement tool, but there are differing interpretations about the virtues of the robocall cops. Also wrapped up on the story is the issue of harm.
Robocalls are rising at an alarming rate. In the month of September 2017 alone, there were 2.4 billion robocalls. The number keeps rising per month, and September 2018 gave birth to 4.1 billion robocalls. At this rate, there may be billions and billions more robocalls than stars in the universe! Robocalls are definitely a problem. I’ve never heard of anyone who likes robocalls; the mosquito probably ranks higher in popularity. But robocalls persist and proliferate. Annually, in the United States, the number of robocalls exceeds 100 per person. There are 4.5 million robocall complaints per year to the FTC.
Along with the rise of robocalls, litigation has also been increasing. Lawsuits are perhaps a bit more popular than robocalls or mosquitos, but not by much. The TCPA, 47 U.S.C. § 227, passed in 1991, requires various forms of prior consent for robocalls, which are calls made with what the TCPA refers to as an “automatic telephone dialing system” (ATDS). Violations of the TCPA can be enforced through a private right of action, and there are statutory damages of $500 per violation ($1,500 for willful violations). The number of TCPA lawsuits has skyrocketed, from 14 federal cases in 2007 to 4,392 federal cases in 2017.
Cybersecurity litigation is currently at a crossroads. Courts have struggled in these cases, coming out in wildly inconsistent ways about whether a data breach causes harm. Although the litigation landscape is uncertain, there are some near certainties about cybersecurity generally: There will be many data breaches, and they will be terrible and costly. We thus have seen the rise of cybersecurity insurance to address this emergent and troublesome risk vector.
I am delighted to be interviewing Kimberly Horn, who is the Global Focus Group Leader for Cyber Claims at Beazley. Kim has significant experience in data privacy and cyber security matters, including guiding insureds through immediate and comprehensive responses to data breaches and network intrusions. She also has extensive experience managing class action litigation, regulatory investigations, and PCI negotiations arising out of privacy breaches.
Harm has become the key issue in data breach cases. During the past 20 years, there have been hundreds of lawsuits over data breaches. In many cases, the plaintiffs have evidence to establish that reasonable care wasn’t used to protect their data. But the cases have often been dismissed because courts conclude that the plaintiffs have not suffered harm as a result of the breach. Some courts are beginning to recognize harm, leading to significant inconsistency and uncertainty in this body of law.
Recently, the U.S. Court of Appeals for the 9th Circuit issued a decision with profound implications for consumer privacy protection law. In FTC v. AT&T Mobility (9th Cir. Aug. 29, 2016), a 3-judge panel of the 9th Circuit held that the Federal Trade Commission (FTC) lacks jurisdiction over companies that engage in common carrier activity. The result is that there is now a gaping hole in consumer privacy protection law.
In a high-profile privacy lawsuit, former pro-wrestler Hulk Hogan won a $115 million jury verdict against Gawker for posting his sex video without his consent. Hulk Hogan, whose real name is TerryBollea, brought a lawsuit for invasion of privacy and other torts. Under one of the main privacy torts — public disclosure of private facts — one can be liable if one widely and publicly discloses private information about another that would be highly offensive to a reasonable person and not of legitimate concern to the public.