Class Action

Split Ends: WEN Hair Care & The FDA’s Regulation of Cosmetics

MJLST Guest Blogger, Tommy Tobin

[Editor’s Note: The LawSci Forum is pleased to announce a new series on current issues in FDA law. This post is #1 in the series, with more in the coming weeks.]

We have all been tempted by late-night television infomercials and their promises. If the product works, our lives become more convenient; if it doesn’t, we’re only out a few dollars and the product will gather dust. For thousands across America, one product that promised a hair-care revolution left them scratching, itching, and balding.

The Food & Drug Administration (FDA) is investigating over 20,000 incidents of adverse events resulting from WEN by Chaz Dean. Los Angeles-based stylist Chaz Dean is the face of the WEN brand, endorsed by Brooke Shields, Alyssa Milano, and other celebrities. Sold on QVC, infomercials, and elsewhere, WEN is unlike most shampoos. It is marketed as a “revolutionary way to cleanse and hydrate the hair” without water.

There’s another way that WEN is unlike most shampoos: using WEN all too often results in large clumps of hair falling off one’s head. The FDA has received complaints of baldness in addition to hair loss, itching, and rashes after consumers tried WEN products. In July 2016, the FDA issued a Safety Alert to warn the public about potential results of using this hair care product. In that warning, the FDA noted that this was the largest number of reports ever received for a hair cleansing product.

Unsurprisingly, litigation has ensued. One California case has resulted in a preliminary class action settlement of over $26 million. Filed in the Central District of California, the suit alleges that the plaintiffs, and their similarly-situated class members, suffered hair loss and scalp irritation, among other injuries. One class representative allegedly lost one-third of her hair after she used WEN’s Sweet Almond Milk kit. In addition, plaintiffs claimed that the WEN was falsely advertised as safe and failed to warn users of potential harm.

Under the terms of the preliminary settlement, notice will be given to 6 million class members, defined as any American purchaser of WEN hair care products between November 2007 and August 1, 2016. A warning will be added to the product’s packaging telling users to seek immediate medical attention for adverse reactions. While many claimants in the class can submit claims for a $25 payment, those with more extensive damages can submit claims for additional recovery. For example, those that have lost more than 50% of their hair with minimal “hair regrowth” could recover as much as $20,000.

But, wait there’s more! The nature of the allegations against WEN have led many consumers, lawmakers, and even the New York Times to ask whether the FDA should have the authority to recall dangerous cosmetics from the market. Currently, the FDA is not authorized to order recalls of cosmetic products. Instead, such recalls are voluntary efforts by manufacturers or distributors.

A cursory inspection of the FDA’s name reveals that “cosmetics” is nowhere to be found in the title of the Food & Drug Administration. While the FDA notes that cosmetic companies and marketers “have the legal responsibility to ensure the safety of their products,” the WEN case provides an opportunity to reflect on the FDA’s regulatory authority over cosmetic products.  For example, the FDA may order warning statements on cosmetics that present health hazards and work with manufacturers on voluntary recalls. Time will tell whether WEN prompts further action to regulate cosmetic products.


6th Circuit Aligns With 7th Circuit on Data Breach Standing Issue

John Biglow, MJLST Managing Editor

To bring a suit in any judicial court in the United States, an individual, or group of individuals must satisfy Article III’s standing requirement. As recently clarified by the Supreme Court in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), to meet this requirement, a “plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Id. at 1547. When cases involving data breaches have entered the Federal Circuit courts, there has been some disagreement as to whether the risk of future harm from data breaches, and the costs spent to prevent this harm, qualify as “injuries in fact,” Article III’s first prong.

Last Spring, I wrote a note concerning Article III standing in data breach litigation in which I highlighted the Federal Circuit split on the issue and argued that the reasoning of the 7th Circuit court in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) was superior to its sister courts and made for better law. In Remijas, the plaintiffs were a class of individuals whose credit and debit card information had been stolen when Neiman Marcus Group, LLC experienced a data breach. A portion of the class had not yet experienced any fraudulent charges on their accounts and were asserting Article III standing based upon the risk of future harm and the time and money spent mitigating this risk. In holding that these Plaintiffs had satisfied Article III’s injury in fact requirement, the court made a critical inference that when a hacker steals a consumer’s private information, “[p]resumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume [the] consumers’ identit[y].” Id. at 693.

This inference is in stark contrast to the line of reasoning engaged in by the 3rd Circuit in Reilly v. Ceridian Corp. 664 F.3d 38 (3rd Cir. 2011).  The facts of Reilly were similar to Remijas, except that in Reilly, Ceridian Corp., the company that had experienced the data breach, stated only that their firewall had been breached and that their customers’ information may have been stolen. In my note, mentioned supra, I argued that this difference in facts was not enough to wholly distinguish the two cases and overcome a circuit split, in part due to the Reilly court’s characterization of the risk of future harm. The Reilly court found that the risk of misuse of information was highly attenuated, reasoning that whether the Plaintiffs experience an injury depended on a series of “if’s,” including “if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully.” Id. at 43 (emphasis in original).

Often in the law, we are faced with an imperfect or incomplete set of facts. Any time an individual’s intent is an issue in a case, this is a certainty. When faced with these situations, lawyers have long utilized inferences to differentiate between more likely and less likely scenarios for what the missing facts are. In the case of a data breach, it is almost always the case that both parties will have little to no knowledge of the intent, capabilities, or plans of the hacker. However, it seems to me that there is room for reasonable inferences to be made about these facts. When a hacker is sophisticated enough to breach a company’s defenses and access data, it makes sense to assume they are sophisticated enough to utilize that data. Further, because there is risk involved in executing a data breach, because it is illegal, it makes sense to assume that the hacker seeks to gain from this act. Thus, as between the Reilly and Remijas courts’ characterizations of the likelihood of misuse of data, it seemed to me that the better rule is to assume that the hacker is able to utilize the data and plans to do so in the future. Further, if there are facts tending to show that this inference is wrong, it is much more likely at the pleading stage that the Defendant Corporation would be in possession of this information than the Plaintiff(s).

Since Remijas, there have been two data breach cases that have made it to the Federal Circuit courts on the issue of Article III standing. In Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 965 (7th Cir. 2016), the court unsurprisingly followed the precedent set forth in their recent case, Remijas, in finding that Article III standing was properly alleged. In Galaria v. Nationwide Mut. Ins. Co., a recent 6th Circuit case, the court had to make an Article III ruling without the constraint of an earlier ruling in their Circuit, leaving the court open to choose what rule and reasoning to apply. Galaria v. Nationwide Mut. Ins. Co., No. 15-3386, 2016 WL 4728027, (6th Cir. Sept. 12, 2016). In the case, the Plaintiffs alleged, among other claims, negligence and bailment; these claims were dismissed by the district court for lack of Article III standing. In alleging that they had suffered an injury in fact, the Plaintiffs alleged “a substantial risk of harm, coupled with reasonably incurred mitigation costs.” Id. at 3. In holding that this was sufficient to establish Article III standing at the pleading stage, the Galaria court found the inference made by the Remijas court to be persuasive, stating that “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints.” Moving forward, it will be intriguing to watch how Federal Circuits who have not faced this issue, like the 6th circuit before deciding Galaria, rule on this issue and whether, if the 3rd Circuit keeps its current reasoning, this issue will eventually make its way to the Supreme Court of the United States.