Justia U.S. 9th Circuit Court of Appeals Opinion Summaries

Paige Thompson committed a significant data breach, hacking into Amazon Web Services (AWS) customers' accounts, stealing data from at least 30 entities, and causing tens of millions of dollars in damage. She also used the stolen credentials to mine cryptocurrency, further increasing the financial impact on the victims. Thompson was arrested after she revealed her activities to a cybersecurity professional, leading to an FBI investigation.The United States District Court for the Western District of Washington calculated Thompson's sentencing range under the Federal Sentencing Guidelines to be 168 to 210 months of imprisonment. However, the court granted a substantial downward variance, sentencing her to time served (approximately 100 days) and five years of probation. The court emphasized Thompson's personal history, including her transgender identity, autism, and past trauma, as significant factors in its decision.The United States Court of Appeals for the Ninth Circuit reviewed the case and found that the district court overemphasized Thompson's personal story and failed to properly weigh several of the 18 U.S.C. § 3553(a) factors. The appellate court held that the district court's findings regarding Thompson's lack of malicious intent, her remorse, and the seriousness of her actions were clearly erroneous and not supported by the record. The Ninth Circuit also noted that the district court did not adequately consider the need for general and specific deterrence or the risk of unwarranted sentencing disparities.The Ninth Circuit vacated Thompson's sentence and remanded the case for resentencing, instructing the district court to properly weigh all relevant factors and provide a more substantial justification for any variance from the Guidelines. View "USA V. THOMPSON" on Justia Law

Joseph Sullivan, the former Chief Security Officer for Uber Technologies, was convicted of obstruction of justice and misprision of a felony. The case arose from Sullivan's efforts to cover up a significant data breach at Uber while the company was under investigation by the Federal Trade Commission (FTC) for its data security practices. The breach involved hackers accessing and downloading sensitive information from Uber's servers. Sullivan and his team tracked down the hackers and had them sign a non-disclosure agreement (NDA) in exchange for a payment, recharacterizing the hack as part of Uber's Bug Bounty Program.The United States District Court for the Northern District of California presided over the trial, where a jury found Sullivan guilty. Sullivan appealed, challenging the jury instructions, the sufficiency of the evidence, and an evidentiary ruling. He argued that the district court erred in rejecting his proposed jury instructions regarding the "nexus" requirement for the obstruction charge and the "duty to disclose" instruction. He also contended that the evidence was insufficient to support his misprision conviction and that the court improperly admitted a guilty plea agreement signed by one of the hackers.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's decisions. The court held that Ninth Circuit precedent foreclosed Sullivan's argument regarding the "nexus" instruction and that the district court did not err in rejecting it. The court also found that the omission of the "duty to disclose" instruction was proper, as the theories of liability under Section 1505 and Section 2(b) were conjunctive. The court concluded that the evidence was sufficient to support Sullivan's misprision conviction and that the district court did not abuse its discretion in admitting the hacker's guilty plea agreement. The Ninth Circuit affirmed Sullivan's conviction. View "USA V. SULLIVAN" on Justia Law

A cyberattack on California Pizza Kitchen, Inc. (CPK) in September 2021 compromised the personal information of over 100,000 former and current employees. This led to multiple class action lawsuits against CPK, alleging negligence and other claims. The consolidated plaintiffs reached a settlement with CPK, offering cash payments and credit monitoring services to class members, with CPK required to make payments only to those who submitted valid claims. The settlement's monetary value was estimated at around $950,000, while the attorneys sought $800,000 in fees.The United States District Court for the Central District of California approved the settlement but reserved judgment on the attorneys' fees until after the claims process concluded. The consolidated plaintiffs reported a final claims rate of 1.8%, with the maximum monetary value of the claims being around $950,000. Despite expressing concerns about the scope of attorneys' fees, the district court ultimately awarded the full $800,000 in fees and costs.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's approval of the class settlement, finding that the district court had properly applied the heightened standard to review the settlement for collusion and had not abused its discretion in finding the settlement fair, reasonable, and adequate. However, the Ninth Circuit reversed the fee award, noting that the district court had not adequately assessed the actual value of the settlement and compared it to the fees requested. The case was remanded for the district court to determine the settlement's actual value to class members and award reasonable and proportionate attorneys' fees. View "IN RE: CALIFORNIA PIZZA KITCHEN DATA BREACH LITIGATION" on Justia Law

An underage user of the Grindr application, John Doe, filed a lawsuit against Grindr Inc. and Grindr LLC, alleging that the app facilitated his sexual exploitation by adult men. Doe claimed that Grindr's design and operation allowed him to be matched with adults despite being a minor, leading to his rape by four men, three of whom were later convicted. Doe's lawsuit included state law claims for defective design, defective manufacturing, negligence, failure to warn, and negligent misrepresentation, as well as a federal claim under the Trafficking Victims Protection Reauthorization Act (TVPRA).The United States District Court for the Central District of California dismissed Doe's claims, ruling that Section 230 of the Communications Decency Act (CDA) provided Grindr with immunity from liability for the state law claims. The court also found that Doe failed to state a plausible claim under the TVPRA, as he did not sufficiently allege that Grindr knowingly participated in or benefitted from sex trafficking.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's dismissal. The Ninth Circuit held that Section 230 barred Doe's state law claims because they implicated Grindr's role as a publisher of third-party content. The court also agreed that Doe failed to state a plausible TVPRA claim, as he did not allege that Grindr had actual knowledge of or actively participated in sex trafficking. Consequently, Doe could not invoke the statutory exception to Section 230 immunity under the Allow States and Victims to Fight Online Sex Trafficking Act of 2018. The Ninth Circuit affirmed the district court's dismissal of Doe's claims in their entirety. View "DOE V. GRINDR INC." on Justia Law

The case involves Clayton Zellmer, who sued Meta Platforms, Inc. (formerly Facebook) for alleged violations of the Illinois Biometric Information Privacy Act (BIPA). Zellmer, who never used Facebook, claimed that the company violated BIPA when it created a "face signature" from photos of him uploaded by his friends and failed to publish a written policy outlining its retention schedule for collected biometric data.The district court granted summary judgment in favor of Meta on Zellmer's claim under Section 15(b) of BIPA. The court reasoned that it would be practically impossible for Meta to comply with BIPA if it had to obtain consent from everyone whose photo was uploaded to Facebook before it could use its Tag Suggestions feature. The court also dismissed Zellmer's claim under Section 15(a) of BIPA for lack of standing, holding that Zellmer did not suffer a particularized injury.The United States Court of Appeals for the Ninth Circuit affirmed the district court's decisions but on different grounds. The appellate court rejected the district court's reasoning for granting summary judgment, stating that BIPA's plain text applies to everyone whose biometric identifiers or information is held by Facebook. However, the court concluded that there was no material dispute of fact as to whether Meta violated BIPA's plain terms. The court found that face signatures, which are created from uploaded photos, cannot identify and therefore are not biometric identifiers or information as defined by BIPA. The court also affirmed the dismissal of Zellmer's claim under Section 15(a) of BIPA for lack of standing, agreeing with the district court that Zellmer did not suffer a particularized injury. View "ZELLMER V. META PLATFORMS, INC." on Justia Law

In this case, the plaintiff, a victim of sex trafficking, brought a putative class action against various entities, including foreign-based defendants who operated websites on which videos of her abuse were uploaded and viewed. The district court dismissed the claims against the foreign-based defendants for lack of personal jurisdiction. On appeal, the United States Court of Appeals for the Ninth Circuit reversed and vacated in part, holding that the district court erred in its conclusion.The Ninth Circuit found that the plaintiff had established a prima facie case for the exercise of specific personal jurisdiction over two foreign defendants, WebGroup Czech Republic, a.s. ("WGCZ") and NKL Associates, s.r.o. ("NKL"), which operated the websites. The court concluded that the plaintiff had shown that these defendants had purposefully directed their activities toward the United States, that her claims arose from these forum-related activities, and that the exercise of jurisdiction would be reasonable.The court based its decision on several factors. WGCZ and NKL had contracted with U.S.-based content delivery network services to ensure faster website loading times and a more seamless viewing experience for U.S. users, demonstrating that they had actively targeted the U.S. market. They also profited significantly from U.S. web traffic. Furthermore, the harm the plaintiff suffered—namely, the publication of videos of her abuse on the defendants' websites—had occurred in the U.S., and a substantial volume of the widespread publication of the videos occurred in the U.S.As for the remaining foreign defendants, the court vacated the district court's dismissal of them because it was based solely on the incorrect assumption that there was no personal jurisdiction over WGCZ and NKL. The court remanded the case for further proceedings to determine whether personal jurisdiction could be asserted against these additional defendants. View "DOE V. WEBGROUP CZECH REPUBLIC, A.S." on Justia Law

The United States Court of Appeals for the Ninth Circuit affirmed the lower court's order to compel arbitration and dismiss without prejudice a series of lawsuits against several sports goods e-commerce companies (the defendants). The lawsuits were brought by several plaintiffs, who were consumers that purchased goods online from the defendants and had their personal information stolen during a data breach on the defendants' websites. The defendants moved to compel arbitration based on the arbitration provision in their terms of use. The appellate court held that the plaintiffs had sufficient notice of the arbitration provision and that the arbitration clause was not invalid under California law, was not unconscionable, and did not prohibit public injunctive relief. Furthermore, the parties agreed to delegate the question of arbitrability to an arbitrator according to the commercial rules and procedures of JAMS, a private alternative dispute resolution provider. View "PATRICK V. RUNNING WAREHOUSE, LLC" on Justia Law

In the case before the United States Court of Appeals for the Ninth Circuit, Best Carpet Values, Inc. and Thomas D. Rutledge initiated a class action lawsuit against Google, LLC. The plaintiffs argued that Google, through its Search App on Android phones, displayed their websites in a way that occupied valuable space for which Google should have paid. They contended that Google received all the benefits of advertising from the use of that space. The plaintiffs made state-law claims for trespass to chattels, implied-in-law contract and unjust enrichment, and violation of California's Unfair Competition Law.The court reviewed questions certified by the district court for interlocutory review. In response to the first question, the court ruled that the website copies displayed on a user's screen should not be protected as chattel, concluding that a cognizable property right did not exist in a website copy. As a result, the plaintiffs’ trespass to chattels claim was dismissed.Addressing the third question, the court held that website owners cannot invoke state law to control how their websites are displayed on a user's screen without being preempted by federal copyright law. The court determined that the manner in which the plaintiffs’ websites were displayed fell within the subject matter of federal copyright law. It also found that the rights asserted by the plaintiffs’ implied-in-law contract and unjust enrichment claim were equivalent to the rights provided by federal copyright law. Thus, the plaintiffs’ state-law claim was preempted by federal copyright law.Given these findings, the court did not address the other certified questions. The Ninth Circuit concluded that the district court erred in denying Google’s motion to dismiss and remanded the case with instructions to dismiss. View "Best Carpet Values, Inc. v. Google LLC" on Justia Law

The plaintiff, a survivor of childhood sex trafficking, filed a class action suit against a group of foreign and domestic corporations, alleging that they violated federal and California laws by distributing videos of her sexual abuse on the internet. The defendants included the owners and operators of two pornography websites based in the Czech Republic. The plaintiff argued that the court had personal jurisdiction over the foreign defendants under Federal Rule of Civil Procedure 4(k)(2), which allows for jurisdiction over a foreign defendant if the claim arises under federal law, the defendant is not subject to jurisdiction in any state's courts, and exercising jurisdiction is consistent with the U.S. Constitution and laws. The district court dismissed the case, ruling that it lacked personal jurisdiction over the foreign defendants.The U.S. Court of Appeals for the Ninth Circuit reversed in part and vacated in part the district court's dismissal. The court found that the plaintiff had established a prima facie case that the Czech website operators had purposefully directed their websites at the United States. The court also held that the plaintiff's claims arose from the defendants' forum-related activities, and that the defendants failed to show that the exercise of personal jurisdiction would be unreasonable. Therefore, the court reversed the district court's dismissal of the action against the Czech defendants for lack of personal jurisdiction.The court also vacated the district court's dismissal of nine additional foreign defendants. The district court had dismissed these defendants solely on the grounds that there was no personal jurisdiction over the Czech defendants. The appellate court instructed the district court to address on remand whether personal jurisdiction could be asserted against these additional defendants. View "DOE V. WEBGROUP CZECH REPUBLIC, A.S." on Justia Law

Google owns YouTube, an online video-sharing platform that is popular among children. Google’s targeted advertising is aided by technology that delivers curated, customized advertising based on information about specific users. Google’s technology depends partly on what Federal Trade Commission (“FTC”) regulations call “persistent identifiers,” information “that can be used to recognize a user over time and across different Web sites or online services.” In 2013, the FTC adopted regulations under COPPA that barred the collection of children’s “persistent identifiers” without parental consent. The plaintiff class alleged that Google used persistent identifiers to collect data and track their online behavior surreptitiously and without their consent. They pleaded only state law causes of action but also alleged that Google’s activities violated COPPA. The district court held that the “core allegations” in the third amended complaint were preempted by COPPA.   The Ninth Circuit reversed the district court’s dismissal of the third amended complaint on preemption grounds. The court remanded so that the district court can consider, in the first instance, the alternative arguments for dismissal to the extent those arguments were properly preserved. The panel held that state laws that supplement, or require the same thing as federal law, do not stand as an obstacle to Congress’s objectives, and are not “inconsistent.” The panel was not persuaded that the insertion of “treatment” in the preemption clause evinced clear congressional intent to create an exclusive remedial scheme for enforcement of COPPA requirements. The panel concluded that COPPA’s preemption clause does not bar state-law causes of action that are parallel to or proscribe the same conduct forbidden by COPPA. View "CARA JONES, ET AL V. GOOGLE LLC, ET AL" on Justia Law