Justia Communications Law Opinion Summaries

Paige Thompson committed a significant data breach, hacking into Amazon Web Services (AWS) customers' accounts, stealing data from at least 30 entities, and causing tens of millions of dollars in damage. She also used the stolen credentials to mine cryptocurrency, further increasing the financial impact on the victims. Thompson was arrested after she revealed her activities to a cybersecurity professional, leading to an FBI investigation.The United States District Court for the Western District of Washington calculated Thompson's sentencing range under the Federal Sentencing Guidelines to be 168 to 210 months of imprisonment. However, the court granted a substantial downward variance, sentencing her to time served (approximately 100 days) and five years of probation. The court emphasized Thompson's personal history, including her transgender identity, autism, and past trauma, as significant factors in its decision.The United States Court of Appeals for the Ninth Circuit reviewed the case and found that the district court overemphasized Thompson's personal story and failed to properly weigh several of the 18 U.S.C. § 3553(a) factors. The appellate court held that the district court's findings regarding Thompson's lack of malicious intent, her remorse, and the seriousness of her actions were clearly erroneous and not supported by the record. The Ninth Circuit also noted that the district court did not adequately consider the need for general and specific deterrence or the risk of unwarranted sentencing disparities.The Ninth Circuit vacated Thompson's sentence and remanded the case for resentencing, instructing the district court to properly weigh all relevant factors and provide a more substantial justification for any variance from the Guidelines. View "USA V. THOMPSON" on Justia Law

Joseph Sullivan, the former Chief Security Officer for Uber Technologies, was convicted of obstruction of justice and misprision of a felony. The case arose from Sullivan's efforts to cover up a significant data breach at Uber while the company was under investigation by the Federal Trade Commission (FTC) for its data security practices. The breach involved hackers accessing and downloading sensitive information from Uber's servers. Sullivan and his team tracked down the hackers and had them sign a non-disclosure agreement (NDA) in exchange for a payment, recharacterizing the hack as part of Uber's Bug Bounty Program.The United States District Court for the Northern District of California presided over the trial, where a jury found Sullivan guilty. Sullivan appealed, challenging the jury instructions, the sufficiency of the evidence, and an evidentiary ruling. He argued that the district court erred in rejecting his proposed jury instructions regarding the "nexus" requirement for the obstruction charge and the "duty to disclose" instruction. He also contended that the evidence was insufficient to support his misprision conviction and that the court improperly admitted a guilty plea agreement signed by one of the hackers.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's decisions. The court held that Ninth Circuit precedent foreclosed Sullivan's argument regarding the "nexus" instruction and that the district court did not err in rejecting it. The court also found that the omission of the "duty to disclose" instruction was proper, as the theories of liability under Section 1505 and Section 2(b) were conjunctive. The court concluded that the evidence was sufficient to support Sullivan's misprision conviction and that the district court did not abuse its discretion in admitting the hacker's guilty plea agreement. The Ninth Circuit affirmed Sullivan's conviction. View "USA V. SULLIVAN" on Justia Law

A cyberattack on California Pizza Kitchen, Inc. (CPK) in September 2021 compromised the personal information of over 100,000 former and current employees. This led to multiple class action lawsuits against CPK, alleging negligence and other claims. The consolidated plaintiffs reached a settlement with CPK, offering cash payments and credit monitoring services to class members, with CPK required to make payments only to those who submitted valid claims. The settlement's monetary value was estimated at around $950,000, while the attorneys sought $800,000 in fees.The United States District Court for the Central District of California approved the settlement but reserved judgment on the attorneys' fees until after the claims process concluded. The consolidated plaintiffs reported a final claims rate of 1.8%, with the maximum monetary value of the claims being around $950,000. Despite expressing concerns about the scope of attorneys' fees, the district court ultimately awarded the full $800,000 in fees and costs.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's approval of the class settlement, finding that the district court had properly applied the heightened standard to review the settlement for collusion and had not abused its discretion in finding the settlement fair, reasonable, and adequate. However, the Ninth Circuit reversed the fee award, noting that the district court had not adequately assessed the actual value of the settlement and compared it to the fees requested. The case was remanded for the district court to determine the settlement's actual value to class members and award reasonable and proportionate attorneys' fees. View "IN RE: CALIFORNIA PIZZA KITCHEN DATA BREACH LITIGATION" on Justia Law

An underage user of the Grindr application, John Doe, filed a lawsuit against Grindr Inc. and Grindr LLC, alleging that the app facilitated his sexual exploitation by adult men. Doe claimed that Grindr's design and operation allowed him to be matched with adults despite being a minor, leading to his rape by four men, three of whom were later convicted. Doe's lawsuit included state law claims for defective design, defective manufacturing, negligence, failure to warn, and negligent misrepresentation, as well as a federal claim under the Trafficking Victims Protection Reauthorization Act (TVPRA).The United States District Court for the Central District of California dismissed Doe's claims, ruling that Section 230 of the Communications Decency Act (CDA) provided Grindr with immunity from liability for the state law claims. The court also found that Doe failed to state a plausible claim under the TVPRA, as he did not sufficiently allege that Grindr knowingly participated in or benefitted from sex trafficking.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's dismissal. The Ninth Circuit held that Section 230 barred Doe's state law claims because they implicated Grindr's role as a publisher of third-party content. The court also agreed that Doe failed to state a plausible TVPRA claim, as he did not allege that Grindr had actual knowledge of or actively participated in sex trafficking. Consequently, Doe could not invoke the statutory exception to Section 230 immunity under the Allow States and Victims to Fight Online Sex Trafficking Act of 2018. The Ninth Circuit affirmed the district court's dismissal of Doe's claims in their entirety. View "DOE V. GRINDR INC." on Justia Law

A City of Berkeley ordinance required cell phone retailers to inform prospective cell phone purchasers that carrying a cell phone in certain ways may cause them to exceed Federal Communications Commission guidelines for exposure to radio-frequency radiation. CTIA, a trade association, challenged the ordinance on two grounds: (1) the ordinance violated the First Amendment; and (2) the ordinance was preempted. CTIA requested a preliminary injunction staying enforcement of the ordinance. The district court denied CTIA’s request, and CTIA filed an interlocutory appeal. Finding no reversible error, the Ninth Circuit affirmed. View "CTIA Witeless Ass'n v. City of Berkeley" on Justia Law

Plaintiff filed a putative class action alleging that defendants sent unauthorized text messages in violation of the Telephone Consumer Protection Act of 1991 (TCPA), 47 U.S.C. 227; California Business and Professions Code 17538.41; and California Business and Professions Code 17200. The district court granted summary judgment to defendants. As a preliminary matter, the court concluded that plaintiff has Article III standing under Spokeo, Inc. v. Robins because plaintiff established a concrete injury-in-fact. On the merits, the court concluded that the FCC has established no rule that a consumer who gives a phone number to a company has consented to be contacted for any reason. Instead, FCC orders and rulings show that the transactional context matters in determining the scope of a consumer’s consent to contact. In this case, the court held that as a matter of law plaintiff gave prior express consent to receive defendants’ text messages where he gave his cell phone number for the purpose of a gym membership contract. Revocation of consent must be clearly made and express a desire not to be called or texted. The court joined its sister circuits and agreed that the TCPA permits consumers to revoke their prior express consent to be contacted by telephone autodialing systems. Here, the court held that, although consumers may revoke their prior express consent, plaintiff's gym cancellation was not effective in doing so here. Finally, the court concluded that plaintiff lacked standing to bring his claim under the California Business and Professions Code. Accordingly, the court affirmed the judgment. View "Van Patten v. Vertical Fitness Group" on Justia Law

Dr. Lawrence P. Rudolph filed suit against SCI after various SCI members accused him of official misconduct, stripped him of his awards, and kicked him out of the association. Rudolph surreptitiously recorded a conversation with his friend John Whipple, SCI's president, and posted it on YouTube to exonerate himself. Whipple and SCI filed numerous claims against Rudolph, including statutory invasion of privacy, negligence per se, and common law invasion of privacy. The district court granted Rudolph’s motion to strike under California’s anti-SLAPP statute, Cal. Civ. Proc. Code 425.16, as to four claims, but denied relief as to three claims. Rudolph appeals. The court concluded that the district court correctly denied Rudolph's motion as to the claims for violation of California Penal Code section 632, negligence per se, and common law invasion of privacy. In this case, although Rudolph can show that those claims arise from activity he took in furtherance of his right to free speech, plaintiffs can show a reasonable probability of prevailing on each of the challenged claims. Accordingly, the court affirmed the judgment; denied Rudolph's corresponding request for an additional attorney fee award; and remanded for further proceedings. View "Safari Club International v. Rudolph" on Justia Law

Plaintiff, owner of a locksmith business, filed suit against Yelp, alleging that Yelp is responsible for causing a review from another site to appear on its page, providing a star-rating function that transforms user reviews into Yelp’s own content, and “caus[ing] [the statements] to appear” as a promotion on Google’s search engine. Section 230 of the Communications Decency Act (CDA), 47 U.S.C. 230(c), “immunizes providers of interactive computer services against liability arising from content created by third parties.” In this case, the threadbare allegations of fabrication of statements are implausible on their face and are insufficient to avoid immunity under the CDA. The court also concluded that Yelp’s rating system, which is based on rating inputs from third parties and which reduces this information into a single, aggregate metric is user-generated data. Nor do plaintiff's arguments that Yelp can be held liable for “republishing” the same content as advertisements or promotions on Google survive close scrutiny. The court concluded that, just as Yelp is immune from liability under the CDA for posting user-generated content on its own website, Yelp is not liable for disseminating the same content in essentially the same format to a search engine, as this action does not change the origin of the third-party content. The court noted that proliferation and dissemination of content does not equal creation or development of content. View "Kimzey v. Yelp!" on Justia Law

The FTC filed suit against AT&T under section 5 of the Federal Trade Commission Act (FTA), 15 U.S.C. 45(a), taking issue with the adequacy of AT&T’s disclosures regarding its data throttling program. The district court denied AT&T's motion to dismiss and rejected it's view of the common carrier exemption. The court concluded, however, that the common carrier exemption in section 5 of the FTC Act carves out a group of entities based on their status as common carriers. Those entities are not covered by section 5 even as to non-common carrier activities. Because AT&T was a common carrier, it cannot be liable for the violations alleged by the FTC. Accordingly, the court reversed and remanded. View "FTC v. AT&T Mobility" on Justia Law

Plaintiff Leah Manzari, famous under her professional name, Danni Ashe, for her groundbreaking work in monetizing online pornography, filed a defamation suit claiming that the Daily Mail Online, an online news outlet, used a photograph of her to convey the defamatory impression that she had tested positive for HIV. The Daily Mail filed an interlocutory appeal under California’s anti-SLAPP statute, Cal. Civ. Proc. Code 425.15. The court agreed with the district court that, at this stage in the litigation, Manzari has presented sufficient evidence to move forward with her claim that the Daily Mail Online employees acted with actual malice when they published the article implying that Manzari was an HIV-positive sex worker. Accordingly, the court affirmed the district court's denial of the Daily Mail's motion to strike the complaint. View "Manzari v. Associated Newspapers" on Justia Law