Justia U.S. 9th Circuit Court of Appeals Opinion Summaries

Paige Thompson committed a significant data breach, hacking into Amazon Web Services (AWS) customers' accounts, stealing data from at least 30 entities, and causing tens of millions of dollars in damage. She also used the stolen credentials to mine cryptocurrency, further increasing the financial impact on the victims. Thompson was arrested after she revealed her activities to a cybersecurity professional, leading to an FBI investigation.The United States District Court for the Western District of Washington calculated Thompson's sentencing range under the Federal Sentencing Guidelines to be 168 to 210 months of imprisonment. However, the court granted a substantial downward variance, sentencing her to time served (approximately 100 days) and five years of probation. The court emphasized Thompson's personal history, including her transgender identity, autism, and past trauma, as significant factors in its decision.The United States Court of Appeals for the Ninth Circuit reviewed the case and found that the district court overemphasized Thompson's personal story and failed to properly weigh several of the 18 U.S.C. § 3553(a) factors. The appellate court held that the district court's findings regarding Thompson's lack of malicious intent, her remorse, and the seriousness of her actions were clearly erroneous and not supported by the record. The Ninth Circuit also noted that the district court did not adequately consider the need for general and specific deterrence or the risk of unwarranted sentencing disparities.The Ninth Circuit vacated Thompson's sentence and remanded the case for resentencing, instructing the district court to properly weigh all relevant factors and provide a more substantial justification for any variance from the Guidelines. View "USA V. THOMPSON" on Justia Law

Joseph Sullivan, the former Chief Security Officer for Uber Technologies, was convicted of obstruction of justice and misprision of a felony. The case arose from Sullivan's efforts to cover up a significant data breach at Uber while the company was under investigation by the Federal Trade Commission (FTC) for its data security practices. The breach involved hackers accessing and downloading sensitive information from Uber's servers. Sullivan and his team tracked down the hackers and had them sign a non-disclosure agreement (NDA) in exchange for a payment, recharacterizing the hack as part of Uber's Bug Bounty Program.The United States District Court for the Northern District of California presided over the trial, where a jury found Sullivan guilty. Sullivan appealed, challenging the jury instructions, the sufficiency of the evidence, and an evidentiary ruling. He argued that the district court erred in rejecting his proposed jury instructions regarding the "nexus" requirement for the obstruction charge and the "duty to disclose" instruction. He also contended that the evidence was insufficient to support his misprision conviction and that the court improperly admitted a guilty plea agreement signed by one of the hackers.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's decisions. The court held that Ninth Circuit precedent foreclosed Sullivan's argument regarding the "nexus" instruction and that the district court did not err in rejecting it. The court also found that the omission of the "duty to disclose" instruction was proper, as the theories of liability under Section 1505 and Section 2(b) were conjunctive. The court concluded that the evidence was sufficient to support Sullivan's misprision conviction and that the district court did not abuse its discretion in admitting the hacker's guilty plea agreement. The Ninth Circuit affirmed Sullivan's conviction. View "USA V. SULLIVAN" on Justia Law

A cyberattack on California Pizza Kitchen, Inc. (CPK) in September 2021 compromised the personal information of over 100,000 former and current employees. This led to multiple class action lawsuits against CPK, alleging negligence and other claims. The consolidated plaintiffs reached a settlement with CPK, offering cash payments and credit monitoring services to class members, with CPK required to make payments only to those who submitted valid claims. The settlement's monetary value was estimated at around $950,000, while the attorneys sought $800,000 in fees.The United States District Court for the Central District of California approved the settlement but reserved judgment on the attorneys' fees until after the claims process concluded. The consolidated plaintiffs reported a final claims rate of 1.8%, with the maximum monetary value of the claims being around $950,000. Despite expressing concerns about the scope of attorneys' fees, the district court ultimately awarded the full $800,000 in fees and costs.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's approval of the class settlement, finding that the district court had properly applied the heightened standard to review the settlement for collusion and had not abused its discretion in finding the settlement fair, reasonable, and adequate. However, the Ninth Circuit reversed the fee award, noting that the district court had not adequately assessed the actual value of the settlement and compared it to the fees requested. The case was remanded for the district court to determine the settlement's actual value to class members and award reasonable and proportionate attorneys' fees. View "IN RE: CALIFORNIA PIZZA KITCHEN DATA BREACH LITIGATION" on Justia Law

An underage user of the Grindr application, John Doe, filed a lawsuit against Grindr Inc. and Grindr LLC, alleging that the app facilitated his sexual exploitation by adult men. Doe claimed that Grindr's design and operation allowed him to be matched with adults despite being a minor, leading to his rape by four men, three of whom were later convicted. Doe's lawsuit included state law claims for defective design, defective manufacturing, negligence, failure to warn, and negligent misrepresentation, as well as a federal claim under the Trafficking Victims Protection Reauthorization Act (TVPRA).The United States District Court for the Central District of California dismissed Doe's claims, ruling that Section 230 of the Communications Decency Act (CDA) provided Grindr with immunity from liability for the state law claims. The court also found that Doe failed to state a plausible claim under the TVPRA, as he did not sufficiently allege that Grindr knowingly participated in or benefitted from sex trafficking.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's dismissal. The Ninth Circuit held that Section 230 barred Doe's state law claims because they implicated Grindr's role as a publisher of third-party content. The court also agreed that Doe failed to state a plausible TVPRA claim, as he did not allege that Grindr had actual knowledge of or actively participated in sex trafficking. Consequently, Doe could not invoke the statutory exception to Section 230 immunity under the Allow States and Victims to Fight Online Sex Trafficking Act of 2018. The Ninth Circuit affirmed the district court's dismissal of Doe's claims in their entirety. View "DOE V. GRINDR INC." on Justia Law

A California corporation, China Unicom (Americas) Operations Limited (CUA), was authorized to provide domestic and international telecommunications services under certificates issued by the Federal Communications Commission (FCC) pursuant to § 214 of the Communications Act of 1934. In 2020, the FCC ordered CUA to show cause why its certificates should not be revoked due to national security concerns related to its Chinese government ownership. CUA responded, but the FCC found the responses inadequate and initiated revocation proceedings.The FCC's International, Wireline Competition, and Enforcement Bureaus issued an order to show cause, citing national security concerns and CUA's lack of candor. CUA argued against the revocation, claiming the FCC lacked authority and that it was entitled to a formal hearing. The FCC, however, found CUA's responses insufficient and proceeded with revocation based on national security risks and CUA's lack of trustworthiness.The United States Court of Appeals for the Ninth Circuit reviewed the case. The court held that the FCC has the authority to revoke § 214 certificates based on national security concerns and that the FCC's decision was supported by substantial evidence. The court found that CUA's ultimate Chinese government ownership and the overlap of its board members with the Chinese Communist Party posed significant national security risks. Additionally, the court upheld the FCC's finding that CUA demonstrated a lack of candor and trustworthiness in its dealings with the FCC.The court also rejected CUA's procedural arguments, concluding that the FCC followed appropriate procedures and that a formal evidentiary hearing was not required. The Ninth Circuit denied CUA's petition for review, affirming the FCC's revocation of CUA's § 214 certificates. View "CHINA UNICOM (AMERICAS) OPERA V. FCC" on Justia Law

Michael Terpin, a cryptocurrency investor, sued AT&T Mobility, LLC after hackers gained control over his phone number through a fraudulent "SIM swap," received password reset messages for his online accounts, and stole $24,000,000 of his cryptocurrency. Terpin alleged that AT&T failed to adequately secure his account, leading to the theft.The United States District Court for the Central District of California dismissed some of Terpin's claims for failure to state a claim and later granted summary judgment against him on his remaining claims. The court dismissed Terpin's fraud claims and punitive damages claim, holding that he failed to allege that AT&T had a duty to disclose or made a promise with no intent to perform. The court also held that Terpin failed to allege facts sufficient to support punitive damages. On summary judgment, the court ruled that Terpin's negligence claims were barred by the economic loss rule, his breach of contract claim was barred by the limitation of liability clause in the parties' agreement, and his claim under Section 222 of the Federal Communications Act (FCA) failed because the SIM swap did not disclose any information protected under the Act.The United States Court of Appeals for the Ninth Circuit affirmed the district court's dismissal of Terpin's fraud claims and punitive damages claim, agreeing that Terpin failed to allege a duty to disclose or an intent not to perform. The court also affirmed the summary judgment on Terpin's breach of contract claim, holding that consequential damages were barred by the limitation of liability clause. The court affirmed the summary judgment on Terpin's negligence claims, finding them foreclosed by the economic loss rule. However, the Ninth Circuit reversed the summary judgment on Terpin's claim under Section 222 of the FCA, holding that Terpin created a triable issue over whether the fraudulent SIM swap gave hackers access to information protected under the Act. The case was remanded for further proceedings on this claim. View "TERPIN V. AT&T MOBILITY LLC" on Justia Law

The case involves a challenge by local governments and municipal organizations to the Federal Communications Commission’s (FCC) 2020 Ruling, which interprets and clarifies existing legislative rules from the 2014 Order. These rules implement section 6409(a) of the Middle Class Tax Relief and Job Creation Act of 2012, requiring state and local governments to approve certain wireless network modifications that do not substantially change existing facilities.The petitioners challenged several provisions of the FCC’s 2020 Ruling: the Shot Clock Rule, the Separation Clause, the Equipment Cabinet Provision Clarification, the Concealment and Siting Approval Conditions Provisions, and the Express Evidence Requirement. They argued that these clarifications were either arbitrary and capricious or improperly issued without following the Administrative Procedure Act’s (APA) notice-and-comment procedures.The United States Court of Appeals for the Ninth Circuit reviewed the case. The court found that the 2020 Ruling’s clarifications of the Shot Clock Rule, the Separation Clause, and the Equipment Cabinet Provision were consistent with the 2014 Order, were interpretive rules, and were not arbitrary or capricious. Therefore, the court denied the petition for review regarding these provisions.However, the court found that the 2020 Ruling’s clarifications of the Concealment and Siting Approval Conditions Provisions were inconsistent with the 2014 Order, making them legislative rules. The FCC’s failure to follow the APA’s procedural requirements in issuing these legislative rules was not harmless. Consequently, the court granted the petition for review concerning these provisions.Finally, the court denied the petition for review regarding the Express Evidence Requirement, concluding that its application would not have a retroactive effect. The court’s decision was to grant the petition in part and deny it in part, affirming some of the FCC’s clarifications while invalidating others. View "League of California Cities v. Federal Communications Commission" on Justia Law

The case involves X Corp., the owner of a large social media platform, challenging California Assembly Bill AB 587. This law requires large social media companies to post their terms of service and submit semiannual reports to the California Attorney General detailing their content-moderation policies and practices, including how they define and address categories like hate speech, extremism, and misinformation. X Corp. sought a preliminary injunction to prevent the enforcement of AB 587, arguing that it violates free speech and is federally preempted.The United States District Court for the Eastern District of California denied X Corp.'s motion for a preliminary injunction. The court found that X Corp. was unlikely to succeed on the merits of its First Amendment claim, applying the Zauderer standard for compelled commercial speech. The court concluded that the law's requirements were purely factual and uncontroversial, and reasonably related to the state's interest in transparency. The court also rejected X Corp.'s preemption argument, stating that AB 587 does not impose liability for content moderation activities but only for failing to make required disclosures.The United States Court of Appeals for the Ninth Circuit reversed the district court's decision. The Ninth Circuit held that the Content Category Report provisions of AB 587 likely compel non-commercial speech and are subject to strict scrutiny because they are content-based. The court found that these provisions are not narrowly tailored to serve the state's interest in transparency and therefore likely fail strict scrutiny. The court also determined that the remaining factors for a preliminary injunction weighed in favor of X Corp. The Ninth Circuit remanded the case to the district court to enter a preliminary injunction consistent with its opinion and to determine whether the Content Category Report provisions are severable from the rest of AB 587. View "X CORP. V. BONTA" on Justia Law

The case involves the plaintiffs, including the estate of Carson Bride and three minors, who suffered severe harassment and bullying through the YOLO app, leading to emotional distress and, in Carson Bride's case, suicide. YOLO Technologies developed an anonymous messaging app that promised to unmask and ban users who engaged in bullying or harassment but allegedly failed to do so. The plaintiffs filed a class action lawsuit against YOLO, claiming violations of state tort and product liability laws.The United States District Court for the Central District of California dismissed the plaintiffs' complaint, holding that Section 230 of the Communications Decency Act (CDA) immunized YOLO from liability. The court found that the claims sought to hold YOLO responsible for third-party content posted on its app, which is protected under the CDA.The United States Court of Appeals for the Ninth Circuit reviewed the case. The court reversed the district court's dismissal of the plaintiffs' misrepresentation claims, holding that these claims were based on YOLO's promise to unmask and ban abusive users, not on a failure to moderate content. The court found that the misrepresentation claims were analogous to a breach of promise, which is not protected by Section 230. However, the court affirmed the dismissal of the plaintiffs' product liability claims, holding that Section 230 precludes liability because these claims attempted to hold YOLO responsible as a publisher of third-party content. The court concluded that the product liability claims were essentially about the failure to moderate content, which is protected under the CDA. View "Estate of Bride v. Yolo Technologies, Inc." on Justia Law

A national trade association of online businesses challenged the California Age-Appropriate Design Code Act (CAADCA), which aims to protect children's online privacy and ensure that online products accessed by children are designed with their needs in mind. The association argued that the CAADCA's requirements, particularly those mandating businesses to assess and mitigate risks of exposing children to harmful content, violated the First Amendment.The United States District Court for the Northern District of California granted a preliminary injunction, finding that the association was likely to succeed in its First Amendment challenge. The court held that the CAADCA's requirements compelled businesses to express opinions on controversial issues and act as censors, which constituted a violation of free speech. The court enjoined the entire law, concluding that the unconstitutional provisions were not severable from the rest of the statute.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed in part and vacated in part the district court's preliminary injunction. The Ninth Circuit agreed that the CAADCA's requirement for businesses to create Data Protection Impact Assessment (DPIA) reports, which included assessing and mitigating risks of exposing children to harmful content, likely violated the First Amendment. The court affirmed the injunction against these provisions and those not grammatically severable from them.However, the Ninth Circuit vacated the remainder of the preliminary injunction, finding that it was unclear whether other challenged provisions of the CAADCA facially violated the First Amendment. The court noted that further proceedings were necessary to determine the full scope and impact of these provisions. The case was remanded to the district court for further consideration. View "NETCHOICE, LLC V. BONTA" on Justia Law