Now more than ever, it is important for organizations to review and update their basic information security protocols (their incident response, business continuity and crisis communications plans), and to ensure they’re keeping apprised of potential and developing security threats that may imperil their organizations (like a catastrophic ransomware attack). Nation state attacks and cyber criminal gangs efforts seem to be aimed daily at US businesses. And the ransomware plague that continues unabated, affects nearly all industry verticals.¹

Unfortunately, sometimes even when threats are known and being addressed, when employees are trained frequently regarding information security, and when the highest security precautions are taken, a threat-actor can quickly capitalize on miniscule vulnerabilities, and an organization is faced with the grueling task of picking up the pieces. This usually includes conducting a forensic investigation, updating written information security protocols, deploying patches and password resets, replacing hardware, conducting additional employee training, as well as analyzing differing state breach legislation and notifying consumers, attorneys general, and credit bureaus in accordance with those laws.

Even after these efforts, an organization is still at risk of privacy class action litigation. This might arise through a state attorney general, federal regulator, or a consumer whose data was wrongly accessed or in fact stolen during the cyber-attack.

But in order for a consumer to sue, the threshold, and hot-button, question is whether the consumer has standing under Article III of the US Constitution. [T]he “irreducible constitutional minimum” of standing consists of three elements. The plaintiff must have (1) suffered an “injury in fact” (2) that is “fairly traceable” to the challenged conduct of the defendant and (3) that is likely to be redressed by a favorable judicial decision.²

This article discusses the first prong of the standing elements: injury in fact. Because it is generally difficult for plaintiffs in these actions to show financial harm, or other actual damages, arguments have been raised by the plaintiffs’ bar that the future risk of harm should suffice to meet the first prong of the standing elements. The Supreme Court stated in Spokeo, Inc. v. Robins that even when a statute has been violated, plaintiffs must show that an “injury-in-fact” has occurred that is both concrete and particularized. While this did provide some additional information, the question of how the future risk of harm fits in was left outstanding. Fortunately, on June 25, 2021 the Supreme Court revisited this issue in TransUnion LLC v. Ramirez, 20-297, 2021 WL 2599472, at *1 (U.S. June 25, 2021), when a credit reporting agency flagged certain consumers as potential matches to names on the United States Treasury Department’s Office of Foreign Assets Control (OFAC) list of terrorists, drug traffickers, or other serious criminals. The Court found that those “flagged” consumers whose information was divulged to third party businesses as being included in this list suffered a concrete injury in fact.. With regards to those consumers who were flagged as potential matches, but the information was never disseminated, the Court was unconvinced that a concrete injury occurred. Id. The Court further examined the risk of future harm for these individuals, but declined to find injury in fact, stating that risk of harm cannot be speculative, it must materialize, or have a sufficient likelihood of materializing. Id. It will be interesting to see how this ruling plays out in the circuits in the context of a data breach. The Court included in its opinion some interesting information regarding certain circumstances that may give rise to a concrete harm. Id. Aside from physical or financial harm, the Court also stated that reputational harm, the disclosure of private information, or intrusion upon seclusion may rise to the level of concrete harm. Id. This then begs the question of whether a risk of harm analysis might be necessary in the context of a breach, where private information is indeed accessed and disclosed (i.e., disseminated) to an unauthorized 3rd party.

In light of this ruling, we surveyed certain of the most active Circuit Court’s behavior on the Article III standing issue (post-data breach). While there are certainly trends in each circuit, it seems risk of future harm in particular, is often evaluated, rightly, based on the specific facts of the matter, which still does cause some variance within each circuit. Below we explore these trends, and the circumstances under which injury in fact is often found. Given the recent TransUnion ruling, we expect the circuits to maintain some variability and look to distinguish the TransUnion case when possible.

Second Circuit

The Second Circuit very recently faced this issue, and acknowledged “join[ing] all of [its] sister circuits that have specifically addressed the issue in holding that plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” The court held that plaintiffs lacked standing due to a failure to plead a sufficient risk of future identity fraud. This is in contrast to its decision in Whalen v. Michael Stores, Inc., 689 F. App’x 89, 90-91 & n.1 (2d Cir. 2017), which seemed to favor the Sixth and Seventh Circuit’s approach.

The Second Circuit also recently looked to this issue in McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, at 11 n.3 (2d Cir. April 26, 2021). When the defendant employer accidentally sent an email containing employee PII, plaintiff employees sued for negligence and violation of state consumer protection laws. Plaintiffs’ PII was not, at the time of the case, misused or stolen. The court remained consistent with its decision in Whalen concluding that despite measures taken to avoid identity theft, the plaintiffs could not show injury in fact.

Third Circuit

The Third Circuit has taken its own approach, allowing standing when data is statutorily protected, but rejecting risk of harm arguments for common law claims. This is demonstrated by the court in In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 641 (3d Cir. 2017), which found standing when personal data was breached in violation of the Fair Credit Reporting Act. The court did not delve into the future risk of harm issue, as it had already found a “cognizable injury.” Id.

The future risk of harm issue was discussed however in Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011) (“Unless and until [] conjectures [about alleged future identity theft] come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.”), and Kamal v. J. Crew Grp., Inc., 918 F.3d 102, 113 (3d Cir. 2019) (denying standing where no information was stolen or disclosed, or where a threat-actor would need to piece together information from different sources in order to proceed with identity theft, and stating “[i]f a procedural violation does not present a material risk of harm to an underlying interest, a plaintiff fails to demonstrate concrete injury under Article III”).

Fourth Circuit

The Fourth Circuit additionally rejects the risk of future harm argument, finding in Beck v. McDonald, 848 F.3d 262, 274-75 (4th Cir. 2017) that the plaintiffs’ supposed risk of future identity theft was “too speculative” when plaintiffs failed to present evidence that their personal information had been accessed or misused.

A year later however, in Hutton v. Natl. Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 621 (4th Cir. 2018), the court of appeals distinguished the Beck decision and vacated a district court’s dismissal of class action suit. There, the Fourth Circuit found injury in fact when Plaintiffs alleged that they were victims of identity theft and credit card fraud, which constituted misuse and thus satisfied the injury prong of Article III. Id.

7th Circuit

The Seventh Circuit favors standing when a breach causes an increased risk of harm to the affected individuals, when the data exposed is likely to lead to identity theft. This is supported by the decisions in Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007), which found injury in fact when plaintiffs claimed an increased risk of data theft after their information had been accessed by a malicious and sophisticated hacker; Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) where injury in fact was found when plaintiffs spent time resolving fraudulent charges even when the bank prevented charges from going through; and Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692 (7th Cir. 2015), where similarly, victims of identity theft suffered “aggravation and loss of value of time needed to set things straight, to reset payment associations after credit card numbers are changed and pursue relief for unauthorized charges.”

However, some recent cases show that the Seventh Circuit is not quite ready to accept that any potential for identify theft satisfies the injury in fact element of standing. For example, in Kylie S. v. Pearson PLC, 475 F. Supp. 3d 841, 846 (N.D. Ill. 2020), the court did not find standing where the data breached could not “easily be used in fraudulent transactions,” and where plaintiffs were unable to show any consequences of the breach a year following the incident.

Ninth Circuit

The Ninth Circuit has determined that a plaintiff can establish standing by showing injury in fact based on the increased risk of identity theft following a data breach. In Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010), the court found that the plaintiffs had standing where they “alleged credible threat of real and imminent harm stemming from the theft of a laptop containing their unencrypted personal data.” Likewise, the court in In re, Inc., 888 F.3d 1020, 1028 (9th Cir. 2018), found that “Plaintiffs sufficiently alleged an injury in fact based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft.”

Eleventh Circuit

The Eleventh Circuit has found that a plaintiff must show more than an increased risk of identity theft to establish injury in fact for Article III standing. In Tsao v. Captiva MVP Rest. Partners, LLC , 986 F.3d 1332, 1343 (11th Cir. 2021), the court explained that the information allegedly accessed by the hackers “generally cannot be used alone to open unauthorized or new accounts” therefore, “it is unlikely that the information allegedly stolen [ ], standing alone, raises a substantial risk of identity theft.


While the Supreme Court did provide further color to the issue of risk of future harm, we have yet to see how this plays out in the context of a data breach. The trends in the circuits tell us that in the absence of a showing that individual data was indeed misused, we can expect courts across the circuits to evaluate each case based on the facts and circumstances at hand, and continue to draw conclusions based on the trends discussed above. However, with the Supreme Court using dissemination of information as the threshold to determine harm, it will be interesting to see what is to come in this space. For now, we can expect the following trends to continue in the circuits:

Threshold 1st 2nd 3rd 4th DC 5th 6th 7th 8th 9th 10th 11th
Actual Harm (Pecuniary Loss) X X X X X X
Threat of Harm/Misuse X X X X
Middle Ground X X X X X

1. See Georgia hospital system hit with ransomware attack following Biden-Putin summit Ι Fox Business

2. Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016), as revised (May 24, 2016)

Tuesday, June 29, 2021
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific


The CARES Act gives borrowers a payment break on federal student loans—but starting in October, payments will start back up. Servicers of private and federal student loans are beginning to face lawsuits alleging that it harmed student loan borrowers throughout the repayment process. These suits could take years to conclude.

In the fifth installment of the Consumer Financial Services Litigation Webinar Series, Seyfarth attorneys will review this past year and will unfold the regulatory and legislative initiatives underway. Specifically, the presenters will cover:

  • Federal Student Loan Payment Moratorium
  • American Rescue Plan Tax Relief
  • Loan Forgiveness Initiatives
  • Developments in Bankruptcy Discharge

Consumer Financial Services Webinar Series

Given the magnitude of the potential changes ahead, Seyfarth has developed a webinar series designed to convey strategies and best practices to help you to ensure that your company and internal clients are prepared for what is ahead. To stay abreast of these changes, please subscribe to our mailing to list.

Subscribe to Seyfarth’s Consumer Financial Services Mailing List.

For updates and insight on Consumer Financial Services Issues, we invite you to click here to subscribe to Seyfarth’s Consumer Class Defense Blog.

David Bizar, Partner, Seyfarth Shaw LLP
Bill Hanlon, Partner, Seyfarth Shaw LLP
Anne Dunne, Associate, Seyfarth Shaw LLP

If you have any questions, please contact Colleen Vest at and reference this event.

This webinar is accredited for CLE in CA, IL, NJ, and NY. Credit will be applied for as requested for TX, GA, WA, NC, FL and VA.  The following jurisdictions accept reciprocal credit with these accredited states, and individuals can use the certificate they receive to gain CLE credit therein: AZ, CT, ME, NH.  The following jurisdictions do not require CLE, but attendees will receive general certificates of attendance: DC, MA, MD, MI, SD.  For all other jurisdictions, a general certificate of attendance and the necessary materials will be issued that can be used in other jurisdictions for self-application. If you have questions about jurisdictions, please email

Requests for the inspection of books and records pursuant to Section 220 of the Delaware General Corporation Law is an important part of corporate litigation in Delaware. One important issue for these types of proceedings is the scope of documents that these types of requests can reach, particularly when it comes to privileged documents and other pre-discovery material. The following was published by The D&O Diary on May 17, 2021.

This article provides a summary of recent Delaware decisions on the permissible scope of shareholder books and records demands pursuant to Section 220 of the Delaware General Corporation Law (“Section 220”), including whether shareholders may use Section 220 to obtain pre-complaint discovery and/or privileged corporate documents. In short, there has been a significant uptick in Section 220 demand litigation in recent years and shareholders are frequently using Section 220 as an alternative method of obtaining discovery for ongoing or potential future fiduciary litigation. This article summarizes where shareholders have been permitted to proceed with such demands and where Delaware courts have drawn the line.

Section 220 Procedure

Section 220 provides shareholders with the right to inspect the books and records of a Delaware corporation where the shareholders have demonstrated a proper purpose. Procedurally, Section 220 requires shareholders to first serve a demand for inspection on a corporation and, if the demand is rejected, shareholders may initiate an action in Delaware Chancery Court to compel the production of the sought records. Section 220 actions are summary proceedings, which are supposed to be litigated in a more expeditious manner than regular lawsuits. These cases are quickly moved to a trial before a judge in the Court of Chancery. Sometimes, the parties forgo trial and instead, merely submit papers and hold oral argument.

Proper Purpose of Investigating Wrongdoing

There has been an explosive growth in Section 220 demand litigation in recent years with many shareholders using Section 220 as a tool for obtaining pre-complaint discovery to build cases against corporations and their officers and directors. This has led to many recent Delaware decisions evaluating whether shareholders were actually seeking books and records for a proper purpose under Section 220.

Delaware courts have held that a proper purpose can include investigating possible mismanagement, waste, improper transactions, self-dealing, etc. Where documents are sought for investigatory purposes, shareholders “must present some evidence to suggest a credible basis from which a court can infer that mismanagement … or wrongdoing may have occurred.”[i] This is the “lowest possible burden of proof” and “does not require a stockholder to prove that the wrongdoing actually occurred.”[ii] Because of this low standard, shareholders generally are permitted to proceed with their sought after review of corporate records.

However, this standard is not without limitations. For example, in 2017, in Wilkinson v. A. Schulman, Incorporated,[iii] the Delaware Chancery Court found there was no proper purpose where the shareholder conceded that his reasons for seeking the documents were substantially different from those set forth in the document demand drafted by his attorneys. Although the shareholder verified the complaint, he did not confirm the accuracy of the allegations contained therein, did not review the company’s answer, and was not otherwise involved in efforts to obtain the documents. In this case, the Court held that the shareholder’s “purported purposes were not his actual purposes” and, instead, “were his counsel’s purposes.”[iv] In subsequent rulings, Delaware courts have declined to extend Wilkinson, noting that the case “involved extreme facts” and “blunders.”[v] Indeed, following Wilkinson, Delaware courts have generally deferred to a shareholder’s asserted purpose unless it is obvious that the shareholder “[i]s a passive conduit in a purely lawyer-driven inspection effort.”[vi]

Recent Delaware decisions have affirmed the very low standard for establishing a proper purpose and have permitted shareholders to proceed with Section 220 demands, even where it appears shareholders are using this inspection tool solely to pursue future litigation.[vii] For example, in a late 2020 decision in AmerisourceBergen Corporation v. Lebanon County Employees’ Retirement Fund, the Delaware Supreme Court made two rulings favorable to shareholders pursuing Section 220 demands.[viii] First, the Court held that “when the purpose of an inspection of books and records under Section 220 is to investigate corporate wrongdoing, the stockholder seeking inspection is not required to specify the ends to which it might use the books and records.”[ix] However, the Court did note that shareholder’s “intended uses” were not entirely “irrelevant.”[x] Next, the Court held that a shareholder is not required to establish that the alleged wrongdoing it seeks to investigate is legally actionable in order to demonstrate a proper purpose.[xi] Yet, the decision indicated that “a court may be justified in denying inspection” in the “rare case” where a shareholder’s “sole reason for investigating mismanagement or wrongdoing is to pursue litigation and a purely procedural obstacle, such as standing or the statute of limitations, stands in the stockholder’s way.”[xii] This decision reaffirms that shareholders can generally use Section 220 demands as a means of obtaining pre-complaint discovery.

Section 220 Demands for Privileged Documents and the Garner Doctrine

Shareholders sometimes seek privileged or attorney work product protected documents in their Section 220 demands, a topic that has been litigated with some frequency since a 2014 Delaware Supreme Court opinion finding that shareholders are permitted do so in certain situations (the “IBEW decision”).[xiii] In the IBEW decision, the Delaware Supreme Court, for the first time, formally recognized the Garner doctrine, “which allows stockholders of a corporation to invade the corporation’s attorney-client privilege in order to prove fiduciary breaches by those in control of the corporation upon showing good cause”[xiv] Prior to this decision, the Delaware Chancery Court had applied the Garner doctrine to Section 220 litigation, even though it had not been expressly recognized by the Supreme Court.[xv]

In determining whether the Garner “good cause” exception to the attorney-client privilege applies, a court considers multiple factors, including:

(1) the number of shareholders and the percentage of stock they represent;

(2) the bona fides of the shareholders;

(3) the nature of the shareholders’ claim and whether it is obviously colorable;

(4) the apparent necessity or desirability of the shareholders having the information and the availability of it from other sources;

(5) whether, if the shareholders’ claim is of wrongful action by the corporation, it is of action criminal, or illegal but not criminal, or of doubtful legality;

(6) whether the communication related to past or to prospective actions;

(7) whether the communication is of advice concerning the litigation itself;

(8) the extent to which the communication is identified versus the extent to which the shareholders are blindly fishing;

(9) the risk of revelation of trade secrets or other information in whose confidentiality the corporation has an interest for independent reasons.[xvi]

Since the IBEW decision, Delaware courts have found that: (1) “the colorability of the claim,” (2) “the extent to which the communication is identified versus the extent to which the shareholders are blindly fishing,” and (3) the necessity and availability of the sought information are the three most important factors in determining whether the Garner exception is applicable.[xvii] Delaware courts have been particularly reluctant to apply the Garner doctrine where necessity and unavailability have not been established.[xviii]

The applicability of the Garner doctrine has been evaluated in several Delaware decisions following IBEW.[xix] These cases involved a fact intensive analysis of the Garner factors. There has been only one decision, subsequent to IBEW, in which the Garner exception was found to apply and a company was ordered to produce privileged documents.[xx] This is somewhat unsurprising since the Garner exception is intended to be “narrow,” “exacting,” and “very difficult to satisfy.”[xxi]

Most recently, on May 4, 2021, a Delaware Chancery Court refused to apply the Garner exception in a derivative case involving the 2018 approval of Tesla’s CEO Elon Musk’s compensation plan.[xxii] In that case, the derivative plaintiff sought privileged communications between Tesla’s outside legal counsel, in-house counsel and compensation committee regarding the committee’s independence from Musk. Although the Court found that the plaintiff had established a colorable claim and was not fishing, the Court ultimately held that “plaintiff’s showing [of necessity and unavailability] falls well short of the narrow and exacting mark set by Garner and its Delaware progeny.” The court rejected plaintiff’s conclusory assertions that the information sought was necessary and unavailable and noted that plaintiff “provide[d] no meaningful explanation as to why [the information sought] [wa]s not or will not be adequately addressed in the nonprivileged discovery available to plaintiff.”


In sum, recent Delaware case law reflects the challenges of opposing Section 220 demands. Although a shareholder must establish a “credible basis” for a demand, Delaware courts have reaffirmed that this is the “lowest possible burden of proof” and that shareholders do not need to show legally cognizable wrongdoing. On the other hand, Delaware courts have been more conservative in permitting shareholders access to privileged documents. Unless a shareholder can set forth non conclusory reasons as to why the privileged documents are necessary and unavailable from other sources, among other items, they will not be permitted to inspect privileged documents.


[i] See, e.g., Pettry v. Gilead Sciences, Inc., C.A. No. 2020-0132-KSJM, 2020 WL 6870461, at *10 (Del.Ch. Aug 26, 2020).

[ii] Id. at *11 (quotations omitted).

[iii] C.A. No. 2017–0138–VCL, 2017 WL 5289553, at *3 (Del.Ch. Nov. 13, 2017).

[iv] Id.

[v] See, e.g., Pettry., 2020 WL 6870461, at *15; Gross v. Biogen Inc., C.A. No. 2020-0096-PAF, 2021 WL 1399282, at *6 (Del.Ch. Apr. 14, 2021).

[vi] Pettry, 2020 WL 6870461, at *1.

[vii] Delaware courts have also awarded plaintiffs fees where Defendants have acted in an “overly aggressive” manner in defending Section 220 actions. See, e.g., Pettry, 2020 WL 6870461, at *29 (“defendants have turned books and records litigation into a surrogate proceeding to litigate the possible merits of the suit where they place obstacles in the plaintiffs’ way to obstruct them from employing it as a quick and easy pre-filing discovery tool”); See also Gross, 2021 WL 1399282, at *5.

[viii] In AmerisourceBergen, the shareholders sought materials “from May 1, 2010 to date concerning certain settlements, acquisitions, investigations, and other events related to AmerisourceBergen’s operations and its potential involvement in the opioid crisis.” 243 A.3d 417, 423 (Del. Supr. 2020)

[ix] Id. at 430.

[x] Id. at 429.

[xi] Id. at 437.

[xii] Id.

[xiii] Wal-Mart Stores, Inc. v. Indiana Elec. Workers Pension Trust Fund IBEW, 95 A.3d 1264, 1278-79 (Del. Supr. 2014).

[xiv] Id. at 1276.

[xv] See, e.g., id. at 1278. In the IBEW decision, the Delaware Supreme Court found that the Garner exception applies in both “plenary stockholder/corporation proceedings” and “Section 220 actions.” Id. Since then, one Delaware Chancery Court decision has suggested that it may also apply in cases where shareholders assert direct claims for breach of corporate fiduciary duties. Buttonwood Tree Value Partners, L.P. v. R.L. Polk & Co., Inc., Civil Action No. 9250–VCG, 2018 WL 346036, at *3 (Del.Ch. Jan. 10, 2018).

[xvi] Salberg v. Genworth Financial, Inc., C.A. No. 2017–0018–JRS, 2017 WL 3499807, at *4 (Del.Ch. July 27, 2017).

[xvii] Id. at *5. See also Buttonwood, 2018 WL 346036, at *3.

[xviii] Employees’ Retirement System of Rhode Island v. Facebook, Inc., C.A. No. 2020-0085-JRS, 2021 WL 529439, at *9 (Del.Ch. Feb. 10, 2021)

[xix] See, e.g., Employees’ Retirement System of Rhode Island, 2021 WL 529439, at *10 (holding that the production of privileged documents should not be compelled where non-privileged documents will “likely” provide the relevant information sought by plaintiffs); In re Facebook, Inc. Section 220 Litigation, No. 2018-0661-JRS, 2019 WL 2320842, at *18, n. 184 (Del.Ch. May 30, 2019) (“Plaintiffs have not met their heavy burden under Garner because, on this record, they have not demonstrated that the privileged information they seek ‘is both necessary to prosecute the action and unavailable from other sources.’”); Buttonwood, 2018 WL 346036; Elow v. Express Scripts Holding Company, C.A. No. 12721–VCMR, 2018 WL 2110946, at *2 (Del.Ch. Apr. 27, 2018) (conclusory statements that the privileged documents sought are “not available from any other source” are insufficient to satisfy Garner); Salberg, 2017 WL 3499807, at *7 (denying Plaintiff’s Section 220 demand for privileged documents under Garner, because the communications contained advice regarding a separate ongoing derivative action and “Plaintiffs cannot achieve via Section 220 what they could not achieve via discovery in the Derivative Action”); In re Lululemon Athletica Inc. 220 Litigation, C.A. No. 9039–VCP 2015 WL 1957196 (Del.Ch. Apr. 30, 2015).

[xx] See In re Lululemon Athletica Inc. 220 Litigation, WL 1957196, at *15

[xxi] IBEW, 95 A.3d at 1278.

[xxii] Tornetta v. Musk, Case No. 2018-0408-JRS, Entry # 87553543 (Del.Ch. May 4, 2021).

On Thursday April 15th, the U.S. Department of Justice, on behalf of the Federal Trade Commission (“FTC”) filed a lawsuit in the U.S. District Court for the Eastern District of Missouri against chiropractor Eric A. Nepute and his company Quickwork LLC (the “Defendants”) for violating the new COVID-19 Consumer Protection Act. In the complaint, the FTC charges Nepute and Quickwork LLC with making unsubstantiated claims about products sold under the “Wellness Warrior” brand regarding their ability to treat and prevent COVID-19. The FTC is seeking both monetary penalties against the Defendants, as well as a permanent injunction to prevent future violations of the FTC Act and the COVID-19 Consumer Protection Act by the Defendants.

Passed by Congress in December 2020, the COVID-19 Consumer Protection Act (“the Act”) serves to deter and prohibit businesses from marketing products based on unsubstantiated scientific claims for the duration of the COVID-19 crisis. Specifically, the Act prohibits deceptive acts or practices pertaining to “the treatment, cure, prevention, mitigation, or diagnosis of COVID-19” or “a government benefit related to COVID–19.” Congress included in the statute that any violation of this law “shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act,” allowing for violators to receive financial penalties.

The Defendants promoted vitamin D and zinc products as part of their “Wellness Warrior” brand. They claimed–through multiple mediums of advertisement including emails, videos, and claims conveyed via Facebook–that their vitamin D products were scientifically proven to treat or prevent COVID-19. Some videos stated explicitly that “COVID-19 Patients who get enough Vitamin D are 52% less likely to die” and that people who get enough Vitamin D3 “have a 77 percent less chance of getting infected in the first place.” The Defendants made similar claims about their zinc products. More importantly, the Defendants also claimed that their products provided equal or better protection against COVID than the available vaccines.

The FTC issued a warning letter to Defendants about COVID-19 efficacy claims back in May 2020, but alleges that, since then, Defendants have “ramped up their unsubstantiated claims regarding Vitamin D and zinc.” Given the critical effort to roll out the various vaccines and maintain public trust regarding their effectiveness, it is unsurprising that the FTC has pursued this lawsuit.

The Lawsuit claims that Defendants violated both the FTC Act and the COVID-19 Consumer Protection act by making false claims regarding the ability of Defendants’ products ability to treat, cure, prevent, or mitigate COVID-19, both on their own and compared to available vaccines. The complaint seeks to prohibit further claims and to obtain monetary penalties Specifically the complaint states, “A violation of Section (b)(1) of the COVID-19 Consumer Protection Act made with the knowledge required by Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A), is subject to monetary civil penalties of not more than $43,792 for each violation of the COVID-19 Consumer Protection Act after January 13, 2021, including penalties whose associated violation predated January 13, 2021.”

By bringing this action, the FTC has made it clear that it takes these type of COVID-19 claims very seriously and that it will respond accordingly, partnering with the Justice Department as appropriate. To date, the FTC has sent over 350 warning letters to other companies regarding their conduct related to unsubstantiated COVID-19 claims, and there is a strong reason to believe the FTC will continue to pursue these claims as they arise.


The Supreme Court of California, interpreting California Penal Code section 632.7, recently held in Smith v. LoanMe, Inc. that cellular or cordless phone conversations cannot be recorded by nonparties or the parties to the call without consent of the parties.  This decision overturned the Court of Appeal’s previous ruling that consent is only required if nonparties, and not the parties to the call, seek to record the conversation.  Therefore, companies must ensure that they obtain consent prior to recording their calls, or else criminal  and civil liability may ensue, including expensive class actions.

California Penal Code § 632.7

As part of the Invasion of Privacy Act, Penal Code section 632.7 provides, in relevant part: “Every person who, without the consent of all parties to a communication, intercepts or receives and intentionally records, or assists in the interception or reception and intentional recordation of, a communication transmitted between two cellular radio telephones, a cellular radio telephone and a landline telephone, two cordless telephones, a cordless telephone and a landline telephone, or a cordless telephone and a cellular radio telephone, shall be punished.”

Section 632.7 was enacted to expand section 632, which criminalized the unconsented to recording of phone conversations between traditional telephones, to include cellular or cordless phones.

Factual and Procedural Background

This case arose after Defendant LoanMe, Inc. (“LoanMe”) recorded a very brief phone conversation that it had with Plaintiff Jeremiah Smith (“Smith”), the husband of a woman to whom LoanMe extended a loan.  On October 15, LoanMe called the phone number that Smith’s wife had provided, and Smith answered on a cordless phone, informed LoanMe that his wife was not home, and hung up.  The call lasted a total of eighteen seconds.  About three seconds into the call, LoanMe caused a “beep” tone to sound, which signaled that the call was about to be recorded, though the LoanMe representative never verbally advised Smith that the call was going to be recorded.

Thereafter, in September 2016, Smith brought suit on behalf of a putative class consisting of “all persons in California whose inbound and outbound telephone conversations involving their cellular or cordless telephones were recorded without their consent by [LoanMe] or its agent/s within the one year prior to the filing of this action.”  The complaint alleged that the recording of these calls violated section 632.7.

The trial court held that there was no violation, holding that the beep tone gave Smith sufficient notice that the call was going to be recorded.

The Court of Appeal, rather than focusing on if Smith consented to the recording, addressed when consent would be required prior to the recording.  Specifically, the court debated if section 632.7 required that consent be obtained when parties to the call sought to record the call, or if it only applied when nonparties were the ones recording the conversation.  The court ultimately concluded that only nonparties were required to obtain consent, reasoning that “parties to a phone call always consent to the receipt of their communications by each other.”  Smith v. LoanMe, Inc., 43 Cal. App. 5th 844, 848 (2019).

Supreme Court of California’s Decision

On April 1, 2021, the Supreme Court of California reversed the lower courts, holding, “We conclude that [section 632.7] applies to the intentional recording of a covered communication regardless of whether the recording is performed by a party to the communication, or a nonparty.”  The Court’s analysis is as follows:

Statutory History

In Flanagan v. Flanagan, this Court defined “confidential communication” for purposes of interpreting section 632.  The Court held, “A conversation is confidential if a party to that conversation has an objectively reasonable expectation that the conversation is not being overheard or recorded.”  Flanagan v. Flanagan, 27 Cal. 4th 766, 768 (2002).  As part of its reasoning, the Court determined that this interpretation was consistent with section 632.7.  Therefore, because parties to a phone call will typically have a reasonable expectation that the call is not being recorded, it is unreasonable to assume that a person consented to a recording of their conversation by virtue of being on the call.

Language of § 632.7

The Court then looked to the language of the statute, which specifically addresses a person who “intercepts or receives” a call and intentionally records it without the parties’ consent.  Because a party to the call is a person who “receives” the call, the statute therefore forbids parties to the call from recording the conversation without the other party’s consent.  The Court went on to say, “Although parties might normally be regarded as consenting to the receipt of their communications by other parties to a call, this acquiescence would not, by itself, necessarily convey their consent to having these communications recorded.”

Legislative History

The Committee analyses of Assembly Bill 2465 establish that section 632.7 was enacted to respond to concerns that existing law did not prohibit the unconsented to recording of conversations involving cellular or cordless phones.  Although multiple analyses lend support to this notion, the following provides a concise explanation:

The primary intent of [AB 2465] is to provide a greater degree of privacy and security to persons who use cellular or cordless telephones.  Specifically, AB 2465 prohibits persons from recording conversations transmitted between cellular or cordless telephones.

Under current law, it is only illegal to ‘maliciously’ intercept a conversation transmitted between the above-identified telephones.  There is no prohibition against recording a conversation transmitted between cellular or cordless telephones.

By comparison, it is currently illegal to ‘intentionally’ intercept or record a conversation transmitted between landline, or traditional, telephones.

…Henceforth, persons using cellular or cordless telephones may do so knowing that their conversations are not being recorded.  Sen. Com. on Judiciary, Analysis of Assem. Bill No. 2465, at pp. 3-4, Ops. Cal. Legis. Counsel, No. 27958 (Dec 17, 1991)

Because the Legislature’s aim was to provide more protection for communications involving cellular or cordless phones, interpreting section 632.7 to require both parties and nonparties to obtain consent before recording a call squarely aligns with the legislative intent.

Policy Considerations

From a policy perspective, recording a conversation without a party’s consent, regardless of who is doing the recording, can implicate considerable privacy concerns.  As this Court recognized in Ribas v. Clark, “While one who imparts private information risks the betrayal of his confidence by the other party, a substantial distinction has been recognized between the secondhand repetition of the contents of a conversation and its simultaneous dissemination to an unannounced second auditor, whether that auditor be a person or mechanical device.”  Ribas v. Clark, 38 Cal. 3d 355, 360-61 (1985).  Applying this to section 632.7, although a party to a call consents to the other party receiving its communications, there are privacy concerns when the party’s communications are simultaneously disseminated to a recording device without the party’s consent.

The Court reasoned that the distinction stressed in Ribas owes to the fact that “secret monitoring denies the speaker an important aspect of privacy of communication — the right to control the nature and extent of the firsthand dissemination of his statements.” Ribas, at 361; United States v. White, 401 U.S. 745, 787-788 (1971)(dis. opn. of Harlan, J.) [“[m]uch off-hand exchange is easily forgotten and one may count on the obscurity of his remarks, protected by the very fact of a limited audience, and the likelihood that the listener will either overlook or forget what is said, as well as the listener’s inability to reformulate a conversation”]. The Court concluded, citing Kearney v. Salomon Smith Barney, 39 Cal.4th 95, 125 (2006),  to ensure that these concerns are addressed, the state has a “strong and continuing interest in the full and vigorous application” of laws that vindicate the privacy rights that can be compromised when a communication is recorded without consent.


Moving forward, it is now unlawful for anyone, party or nonparty, to record a cellular or wireless telephone conversation without the consent of all parties to the call.  As such, companies must ensure that they receive the other party’s consent before recording the call.  However, it is important to note that what exactly constitutes consent remains uncertain (it is still to be determined whether the “beep” in the above case gave Smith adequate notice that the call was being recorded).  Because of this, companies should have their representatives or automated systems clearly indicate to the other party that the call is being recorded and ensure that such notification is non-bypassable. Companies should ensure that their outbound and inbound call recording practices with California individuals comport with this significant new decision. We expect the plaintiffs’ bar to target non-compliant businesses conducting business in California. For more information, please see our recent webinar on California Consumer Class Action issues.

Monday, May 10, 2021
12:00 p.m. to 1:00 p.m. Eastern
11:00 a.m. to 12:00 p.m. Central
10:00 a.m. to 11:00 a.m. Mountain
9:00 a.m. to 10:00 a.m. Pacific

About the Program

On October 30, 2020, the CFPB released its long-awaited final collections rule, which restated and clarified certain prohibitions on harassment and abuse, false or misleading representations, and unfair practices by debt collectors under the Fair Debt Collection Practices Act (“FDCPA”).  The release marks one of the most significant developments in the debt collection industry since the FDCPA was enacted in 1977.

In the third installment of the Consumer Financial Services Litigation Webinar Series, Seyfarth attorneys will break down various portions of the final rules. Below is the list of topics that we plan to discuss in further detail.

  • Overview of the FDCPA and Rulemaking that led to the Fall 2020 new regulations;
  • Highlight of changes and key provisions in the new FDCPA regulations;
  • Recent CFPB actions to delay and supplement the new FDCPA regulations (i.e., the two notices I circulated in the last few days).

Consumer Financial Services Webinar Series
Given the magnitude of the potential changes ahead, Seyfarth has developed a webinar series designed to convey strategies and best practices to help you to ensure that your company and internal clients are prepared for what is ahead. To stay abreast of these changes, please subscribe to our mailing to list.

Subscribe to Seyfarth’s Consumer Financial Services Mailing List.

For updates and insight on Consumer Financial Services Issues, we invite you to click here to subscribe to Seyfarth’s Consumer Class Defense Blog


Tonya M. Esposito, Partner, Seyfarth Shaw LLP
Michael Jusczyk, Associate, Seyfarth Shaw LLP
J. Patrick Kennedy, Senior Counsel, Seyfarth Shaw LLP

Jordan Vick and Kristine Argentine have organized and will be moderating a CLE program for the Federal Bar Association titled Commercial Class Actions: Hot Topics and Trends.

In this program, Seventh Circuit Judge David F. Hamilton and District Court Judge Robert M. Dow, Jr. will offer their perspectives on significant recent developments at the Circuit Court and Supreme Court levels affecting how class actions are brought, litigated, certified and settled.

Register for this program here.

On Thursday, April 15, 2020 at 12:00 p.m. Central, Seyfarth attorneys Robert Milligan, Josh Salinas and Darren Dummit presented Hot Topics and Trends in California Consumer Class Actions.

They reviewed the latest consumer class action law developments affecting companies that do business in California. It is no secret that resourceful plaintiff’s attorneys target companies conducting business in California with expensive and time-consuming putative class actions alleging violations of federal or state consumer statutes. Specifically, Seyfarth attorneys provided a summary of recent key decisions, identified trends for companies to watch for in 2021 and beyond, and provided practical “best practices” and risk management advice for the future.

As a conclusion to this webinar, we developed a summary of key takeaways:

  • California Supreme Court recently ruled that calls recorded without consent by parties and non-parties are a violation of Penal Code Section 632.7, which could result in significant class action exposure.
  • For purposes of consumer arbitration and class action waivers, unlike many states, California state and federal case law currently require that consumers not be precluded from seeking a public injunction. Arbitration provisions should be drafted to make clear that consumer arbitration provisions do not preclude such relief.
  • Covid-related “refund” class action suits have put a spotlight on the importance of clear policies within terms and conditions, as well as the changing market effects underlying these policies, but going forward we should expect to see class action activity around diminished value of the offerings, failure to provide redemptive credits of in-kind value, and failure to accommodate individual health and safety issues.
  • Perhaps one of the hottest trends over the past year-plus has been the explosion of TCPA law suits and verdicts, particularly targeting the nascent cannabis industry, and while the US Supreme Court’s recent decision will no doubt reduce the TCPA activity from the plaintiffs bar, it will by no means end it.
  • Reduce the risk of potential false advertisement class actions by ensuring marketing materials and labels comply with relevant regulations, are not misleading, and any representations or implied claims have adequate scientific support or can otherwise be substantiated.
  • Sensitive employee and customer data can be compromised not only by outside attackers but also by carelessness, mistake, and inadequate information security practices.

On January 5, 2021, the Consumer Financial Protection Bureau (CFPB) Taskforce on Federal Consumer Financial Law (Taskforce) issued a nearly 900-page final report (Report) making extensive recommendations for legislative and regulatory reform, enactment, and adoption of new initiatives in the financial marketplace. In proposing changes to the existing legal and regulatory framework, the Report is centered around five key principles: (1) consumer protection; (2) information and education; (3) competition and innovation; (4) regulatory modernization and flexibility; and (5) inclusion and access.

In the second installment of the Consumer Financial Services Litigation Webinar Series, Seyfarth attorneys offered predictions on what financial services companies might expect from the CFPB in the months ahead as a result of the Taskforce Report. Specifically, Seyfarth attorneys provided a deeper dive into the following:

  • The Background of the Taskforce, its Report and prior studies that provided the starting point and reasons for the current consumer financial services regulatory review.
  • Status of a recent legal challenge to the Taskforce and its Report pending in the Massachusetts federal court.
  • Key recommendations, including:
    • Focusing enforcement decisions on the “lodestar” of consumer harm;
    • Providing public transparency as to how enforcement decisions are made;
    • Rethinking Regulation Z’s required disclosures to better inform consumers;
    • Increasing access to credit for more consumers;
    • Providing the CFPB flexibility to determine that compliance with particular federal and state regulations during times of emergency would be impracticable.
  • Predictions for the scope of reliance and magnitude of the Taskforce Report given the change to the Biden-Harris Administration and nomination of a new CFPB Director.

Subscribe to Seyfarth’s Consumer Financial Services Mailing List.

Please see the webinar recording and presentation below for the March 25th Webinar: “Deeper Dive into the CFPB Taskforce Report Recommendations and Q&A Session”

Presentation Recording
PowerPoint Presentation

Consumer Financial Services Webinar Series

Given the magnitude of the potential changes ahead, Seyfarth has developed a webinar series designed to convey strategies and best practices to help you to ensure that your company and internal clients are prepared for what is ahead. To stay abreast of these changes, please subscribe to our mailing to list.

On Thursday, April 15, 2020 at 12:00 p.m. Central, Seyfarth attorneys Robert Milligan, Josh Salinas and Darren Dummit will present Hot Topics and Trends in California Consumer Class Actions.

Seyfarth attorneys will review the latest consumer class action law developments affecting companies that do business in California. It is no secret that resourceful plaintiff’s attorneys target companies conducting business in California with expensive and time-consuming putative class actions alleging violations of federal or state consumer statutes. Specifically, Seyfarth attorneys will provide a summary of recent key decisions, identify trends for companies to watch for in 2021 and beyond, and provide practical “best practices” and risk management advice for the future. This webinar will provide insight on the following areas:

  • COVID-19 consumer class action developments
  • Latest TCPA decisions and trends
  • Eavesdropper and call recording claims under CIPA
  • Recent developments in privacy/data breach
  • False advertising claims
  • Latest developments concerning arbitration and class waivers
  • Latest decisions and trends involving live sports, entertainment, and recreation

Thursday, March 25, 2021

12:00 p.m. to 1:00 p.m. Eastern
11:00 a.m. to 12:00 p.m. Central
10:00 a.m. to 11:00 a.m. Mountain
9:00 a.m. to 10:00 a.m. Pacific


Robert B. Milligan, Partner, Seyfarth Shaw LLP
Daniel Joshua Salinas, Partner, Seyfarth Shaw LLP
Darren W. Dummit, Partner, Seyfarth Shaw LLP

If you have any questions, please contact Kelli Pacha at and reference this event.