A recent Gizmodo news article brought attention to a recent shot across the bow in the world of privacy litigation, mostly because of its splashy headline: “H&R Block, Meta, and Google Slapped With RICO Suit, Allegedly Schemed to Scrape Taxpayer Data”. That lawsuit is Hunt v. Meta Platforms, Inc. et al. (Case No. 3:23-cv-4953), which was filed in the U.S. District Court for the Northern District of California.
It alleges five causes of action, two of which are RICO claims involving wire and/or mail fraud and conspiracy to commit the same. The other counts include far more commonly alleged violations of the Internal Revenue Code, the Federal Wiretap Act, and the California Invasion of Privacy Act (CIPA).
In particular, the complaint likens the use of pixel tracking technologies to “’spy cams’ which operate secretly and quietly within the background of a website to collect massive amounts of user data information from the websites on which they are installed.” (Id., at Paragraph 24, p. 7).
Understanding RICO Claims: A Brief Overview
The Racketeer Influenced and Corrupt Organizations (RICO) Act is a federal statute that was enacted in October 1970 with the aim of combating organized crime. It provides a powerful weapon for federal prosecutors to target criminal enterprises and to disrupt their illegal activities. Although primarily used by federal prosecutors, it's worth noting that similar laws have been enacted at the state-level by 35 states since 1972.
Perhaps more relevant here, from the standpoint of insurers, is the fact that the federal RICO Act also provides for a private right of action by individuals who believe that they’ve have been injured by the defendant's improper activity; therefore, plaintiffs’ lawyers sometimes allege RICO violations when filing a civil lawsuit because the statute allows for recovery of treble damages. Obviously, tripling the dollar amount of the actual/compensatory damages awarded to the plaintiff(s) would represent a very attractive proposition for both plaintiff and lawyer alike. Conversely, this potential tripling should raise concern for the insurance companies who underwrite the defendants’ cyber insurance policies, as they would be on-the-hook for substantially larger payouts, or more likely, settlements.
Successfully alleging RICO violations in a civil case can be a formidable challenge though. The high burden of proof, coupled with the intricacies of RICO's statutory elements, makes it a complex endeavor. Ken White, himself a former Assistant U.S. Attorney (AUSA), argues in his classic blog post, "It's Not RICO, Dammit," that the use of RICO in civil litigation is often misguided. Courts tend to apply a stringent standard when assessing the viability of RICO claims in civil lawsuits. Due to the complexity of both alleging and proving the allegations, any such counts are more likely to be dismissed at an early stage by the judge.
To successfully bring a civil RICO claim, a plaintiff must demonstrate a series of statutory elements:
Enterprise: There must be an ongoing organization, which could include a formal or informal association or group of individuals, that functions together for a common purpose.
Pattern of Racketeering Activity: This involves a series of at least two predicate acts of racketeering activity (consisting of 35 specifically enumerated crimes) by the defendants within a ten-year period. Racketeering activity encompasses a wide range of criminal offenses, including but not limited to arson, bribery, extortion, fraud, gambling, and murder-for-hire.
Causation: The plaintiff must establish that the defendants’ actions were a direct cause of their injuries.
Standing: The plaintiff must show that they have suffered a concrete injury as a result of the defendants’ RICO violation.
The Challenge of Proving a RICO Case
Successfully proving a RICO case, whether in a criminal or civil context, is notoriously complex. Federal and state prosecutors typically wield RICO against organized crime syndicates, whereas attempts to use it in civil litigation are typically much less successful because of its intricate requirements. In civil cases, overzealous plaintiffs' lawyers often allege RICO violations, but courts tend to scrutinize such claims rigorously. The burden of demonstrating the existence of an enterprise, a pattern of racketeering activity, and a direct causal link to the plaintiff's injuries is a substantial one, particularly in the context of such widely used advertising technologies.
And the Magic 8 Ball Says...
As we continuously expand our analysis of all privacy and security class actions, the hyperbolic language of this case sets it apart. Although it can certainly generate heightened media interest in a particular case, it is essential that such claims should be approached with a discerning eye. Even though plaintiffs remain free to allege RICO violations, it is highly likely that federal courts will scrutinize the merits of such claims closely. In our view, the probability that the two RICO counts will survive a motion to dismiss by the defendants is quite low. (It is entirely probable that the remaining three counts would, in fact, survive such a motion to dismiss.) It will also be interesting to watch what impact, if any, this legal strategy will have on ultimate defense costs and settlement amounts.
The case, Hunt v. Meta Platforms et al. is, of course, still only in the earliest stages of civil litigation; however, CyRisk will continue to watch for further developments as the case moves forward.
With CyRisk's Privacy Risk Detection, insurers, reinsurers, brokers, and risk managers can gain clarity around privacy risk exposure, protect their businesses, and provide the best service to their clients. For more information on Privacy Risk Detection solution, contact CyRisk at firstname.lastname@example.org