It is a pivotal moment when the United States Supreme Court addresses data breach cases. There was a time when people said that cyber security would be like “Y2K” and any preparations for cyber issues would suffer the same embarrassing fate as buying a generator to prepare for “Y2K.” There is no need to get too emotional, but there is no reasonable dispute that privacy issues are now just a part of our lives. April 24, 2019 is a watershed moment in privacy law when the U.S. Supreme Court issued a decision in Lamps Plus, Inc. v. Varela, 2019 1780275 (April 24, 2019), a case that starts with a data breach.
- The Breach
In Lamps Plus, an employee, Frank Varela, filed a class action against his employer, Lamps Plus, in the U.S. District Court of California. Varela claimed his employer’s negligence provide a hacker with access to tax information that resulted in a fraudulent tax return being filed in his name. Varela’s class action complaint further asserted that 1,300 other employees had their information taken as well.
- Procedural History
Lamps Plus filed a motion to dismiss in the District Court wherein it argued the arbitration agreement in Varela’s employment contract required the dismissal of Varela’s class action lawsuit and that his claims should be arbitrated on an individual basis rather in a class action. The District Court denied the portion of the motion seeking to have the class members arbitrate their claims on an individual basis but authorized the arbitration of the claims on a class-wide basis. The Ninth Circuit affirmed the District Court’s decision to allow the class action plaintiffs arbitrate their claims as a class rather than require each class member arbitrate their claims individually. In particular, the Ninth Circuit’s holding, based on a finding that the arbitration provision was ambiguous, would have allowed Varela and the other employees to pursue their claims as a class in an arbitration proceeding.
In short, Varela argued that he should be permitted to litigate—in the courts—a class action against Lamps Plus despite signing an employment agreement with an arbitration provision stating “arbitration shall be in lieu of any and all lawsuits or other civil legal proceedings related to my employment.” On the other hand, Lamps Plus took the position that the case should be arbitrated and Varela was required to arbitrate his claims individually rather than drawing on the strength of other members in a class action. (A good breakdown of these issues can be found in this New York Times article.)
- Supreme Court’s Decision In Favor Of Lamps Plus
In a 5-4 decision, the Supreme Court reversed and remanded the Ninth Circuit’s decision since Lamps Plus did not expressly agree to arbitrating employee disputes on a class action basis. Based on the arbitration provision in the employment agreement, Chief Justice Roberts—writing the majority opinion— held only individual arbitrations were permitted. The Majority further opined “Class arbitration ‘sacrifices the principal advantage of arbitration—its informality—and makes the process slower, more costly, and more likely to generate procedural morass than final judgment.’”
- How To Approach These Issues
Admittedly, the central issue in the Lamps Plus decision relates to the enforcement of an arbitration clause and merely happens to arise out of data breach. Nevertheless, this issue should be front and center for any employer that collects an employee’s private data. In addition to reaching an agreement on the process of bringing claims against an employer (class actions versus individual claims), employment agreements may need to start addressing whether privacy claims should be litigated or arbitrated.
A further example was seen on April 9, 2019 when the Appellate Court of Illinois found an arbitration agreement did not allow an employer to arbitrate an employee’s biometric data claim. Liu v. Four Seasons Hotel, Ltd., 2019 IL App (1st) 182645 (April 9, 2019). In Liu, the Court of Appeals rejected an employer’s contention that an employment agreement to arbitrate “wage or hour violation” claims would include the plaintiff’s alleged biometric data violations. The Liu court rejected the employer’s argument “that the sole purpose of requiring employees to scan their fingerprints was to monitor the hours worked, which makes it a ‘wage or hour violation’ claim.”
These two recent cases involving employment agreements demonstrate that there are a number of moving parts to a privacy lawsuit that must be considered by both those collecting the data and those having their data collected.