In a case that could have far-reaching implications for how companies are held liable for data security lapses, the FTC issued an order and opinion unanimously overturning its Chief Administrative Law Judge’s (ALJ) November 2015 dismissal of charges that LabMD’s allegedly lax data security measures were unfair practices under Section 5 of the FTC Act (see our coverage of […]
A three-judge panel of the U.S. Court of Appeals for the Second Circuit today unanimously reversed a lower court’s denial of Microsoft’s motion to quash a warrant seeking the content of emails for a customer of its Outlook.com email service. The decision is surprising in that that U.S. courts, including the Second Circuit, have traditionally enforced government process seeking documents or data stored abroad from entities that have control over the information under the test of “control, not location.” This case could have a significant impact on cloud providers’ decisions to store information abroad. It also serves, in the midst of debates about the newly enacted Privacy Shield and the recent challenge to Standard Contractual Clauses now before the Court of Justice of the European Union, as a counterbalance to arguments that some make about the U.S. legal system not respecting personal privacy.
On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who sued for a technical violation of the Fair Credit Reporting Act could maintain Article III standing for a class action without claiming any real-world injury. The case before the Court involved a putative class action brought against petitioner Spokeo, Inc., a company that generates profiles about people based on information obtained though computerized searches. Respondent Thomas Robins was one of the people with a profile on Spokeo’s website. According to Robins, the information on that profile was inaccurate. Robins filed a class-action complaint against Spokeo in federal court, alleging violations of the FCRA, which requires consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy of” consumer reports. The Ninth Circuit held that by alleging the violation of a statutory right Robins had satisfied the injury-in-fact requirement of Article III standing.
In a decision issued late last Friday, the United States District Court for the District of Minnesota rejected an effort by class action Plaintiffs to access materials created in the course of Target’s investigation of its 2013 payment card breach that Target claimed were protected by the attorney-client privilege and work product doctrine.
For the past several years, California’s Legislature has actively sought to regulate unmanned aerial systems, including, but not only, through privacy-related legislation.. In the 2014 session, one bill passed and was signed by Governor Brown. It bans the use of UAS to capture images or record voices of people without their permission, and is widely regarded as an anti-paparazzi law, aimed at protecting the many celebrities – and their children – in California’s entertainment industry. However, the wording of the bill more broadly protects individuals’ privacy from visual or audio recording in a manner that is “offensive to a reasonable person … under circumstances in which the [person] had a reasonable expectation of privacy” if the recording could not have been made without either trespassing or using special equipment. The bill is codified at California Civil Code section 1708.8. In the 2015 session, the California Legislature introduced five more bills, covering a range of issues.
On Monday, August 3, the National Telecommunications and Information Administration kicked off the multistakeholder process to develop best practices for commercial and private unmanned aircraft systems use. As we previously reported, the NTIA action follows the White House’s February 15, 2015, Presidential Memorandum directing NTIA to lead private sector groups toward the creation of commercial UAS standards and the NTIA’s request for comments on privacy, transparency, and accountability issues related to the use of UAS.
In a move counter to the trending precedent in data breach litigation, the U. S. Court of Appeals for the Seventh Circuit ruled on July 20 that data breach plaintiffs whose personal information was potentially exposed in a confirmed hacking breach of a major retailer’s network alleged enough risk of harm to meet the standing requirements of Article III of the U.S. Constitution. Plaintiffs’ lawyers will herald this decision, but standing is only the first of many hurdles data breach plaintiffs must cross to proceed to the merits in data breach litigation.
On Monday, June 1, a District Court in the Northern District of California granted AOL’s motion to dismiss plaintiff Nicholas Derby’s putative TCPA class action complaint on the grounds that the complaint failed to allege facts sufficient to establish that the AOL Instant Messenger service was an automatic telephonic dialing system under the Act. Notably, the court did not wait until discovery had been conducted to determine whether the AIM service qualified as an ATDS.
Last week, the Supreme Court granted certiorari in Spokeo, Inc. v. Robins, a case that may significantly impact the ability of plaintiffs to sue in federal court based solely on an alleged infringement of statutory rights. Plaintiffs often allege violation of statutory rights in privacy cases where standing for common law causes of action has proven more difficult to demonstrate and dismissal more frequent. A ruling from Supreme Court could upend this strategy, forcing plaintiffs to allege more than just a statutory injury across all their claims.
Two recent rulings in lawsuits against streaming video services under the Video Privacy Protection Act have tested the limits of those services’ VPPA compliance. The VPPA, enacted in 1988, prohibits the knowing disclosure of certain information about a consumer that “identifies a person as having requested or obtained specific video materials.” The actions described below address first, the relationship a person must have with a streaming service to be considered a “consumer” under the VPPA and second, the connection between a consumer’s identity and the identity of specific video material disclosed to a third party that a plaintiff must demonstrate when stating a VPPA claim.
Last week, U.S. District Court Judge Edward M. Chen denied AT&T Mobility’s motion to dismiss the Federal Trade Commission’s (FTC’s) October 2014 complaint alleging that AT&T engaged in unfair and deceptive practices in connection with its retail mobile broadband data services. AT&T argued that its status as a common carrier makes it exempt from enforcement of the FTC Act. The court disagreed. At issue is the scope of the common carrier exemption.
On Friday, February 27, the White House released its promised draft privacy and data security legislation. The proposed Consumer Privacy Bill of Rights Act of 2015 contains few, if any, surprises and would codify the framework that the White House proposed in 2012, imposing privacy and data security requirements across sectors and industries. The proposal has drawn criticism from the Federal Trade Commission and privacy advocates for not containing enough consumer protections, and from the business community for a lack of clarity and the potential to stifle innovation and to create other unintended consequences. In this post, we summarize the Act and some of the ramifications if it were to be adopted in its current form.
Within the last two weeks, two different federal district courts have issued decisions in high-profile data breach cases that highlight an important issue to watch in 2015: whether consumers whose payment card data was taken have standing to pursue claims against retailers. Northern District of Illinois Judge John Darrah and District of Minnesota Judge Paul Magnuson issued decisions regarding motions to dismiss in consumer class actions against P.F. Chang’s China Bistro Inc. and Target Corp. respectively, with substantially different results. The rulings took different approaches in examining whether the plaintiffs had sufficiently alleged injury, showing continuing uncertainty over what consumers must plead in order to pursue a claim after a data breach.
On July 31, a U.S. District Court judge ruled from the bench that Microsoft could be forced to turn over customer emails in the context of a law enforcement investigation even though those emails were stored on servers located in Ireland. Microsoft had contested the government’s request, arguing that the data was subject to Irish law and that the U.S. government was required to utilize law enforcement treaty channels to obtain the data. Since the ruling, many have expressed surprise that the ruling gave such seemingly expansive jurisdiction to the U.S. government. But it shouldn’t come as a surprise to those who follow these issues, including readers of Hogan Lovells’ white papers on government access that U.S. law enforcement can compel companies subject to its jurisdiction to produce data stored abroad, much as it shouldn’t come as a surprise that many other countries’ governments provide the exact same authority.
Last week, the Administrative Law Judge handling the Federal Trade Commission’s complaint against LabMD issued a pair of rulings that will require the Bureau of Consumer Protection to testify about the information security standards on which the FTC intends to rely at trial in order to prove that LabMD’s data security practices were inadequate. The ALJ’s rulings open up inquiry into issues at the center of the debate surrounding the FTC’s authority under Section 5 of the Federal Trade Commission Act: what are the data security standards that the FTC expects companies to meet, and has the FTC given the private sector adequate advance notice of these standards?
A New Jersey federal judge yesterday issued the much-anticipated opinion in Federal Trade Commission v. Wyndham Worldwide Corp., denying Wyndham’s challenge to the FTC’s authority to regulate data security under Section 5 of the FTC Act. Although it only represents one district court’s findings on the issue, and was not a complete surprise given some of the judge’s statements during oral argument, the Commission for now has dodged a major bullet that threatened to derail its status as the lead commercial data security regulator in the United States.
On Monday, a federal district court dismissed two related putative class action suits filed against Nationwide Mutual Insurance Company following a data breach at Nationwide in October 2012 that affected over 1 million individuals. The opinion shows that courts remain skeptical of plaintiffs’ ability to show any real injury from the fact that their personally identifiable information was compromised without some additional evidence of concrete harm such as identity fraud. The opinion also sheds important light on the ability of plaintiffs to overcome this standing barrier by alleging that their injury derives from the violation of a federal statute.
On January 27, the European Agency for Fundamental Rights, an official agency of the European Union, released its report on Access to Data Protection Remedies in EU Member States. As detailed below, the FRA concluded that redress mechanisms for data protection violations in the EU need improvement. More specifically, the FRA found that data protection authorities do not have sufficient powers or resources, there are not enough judges and lawyers with adequate knowledge of data protection issues, civil society organizations (e.g., consumer interest and privacy advocacy groups) have difficulty bringing suits on behalf of victims of data protection breaches, the costs and burdens of proof associated with data protection suits are too high, and Europeans lack awareness of remedies for data protection violations.
LabMD recently announced its plans to wind down operations, citing its ongoing legal battle with the Federal Trade Commission over the company’s data security practices as a major cause. In a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter. Daugherty’s letter blamed the FTC’s “debilitating investigation and litigation” as a major source of the company’s decision to wind down operations.
On October 22, the FTC announced a settlement with national “rent-to-own” retailer Aaron’s, Inc. on charges that it knowingly assisted its franchisees in tacitly collecting images and information about their customers. Specifically, the FTC alleges that Aaron’s “played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including taking webcam pictures of them in their homes.”
Class action litigation challenging the practice of merchants that ask customers to provide their ZIP codes has expanded into the District of Columbia, representing an important new front in ZIP code litigation, which previously had been concentrated in California and Massachusetts, and has important implications for the ability of plaintiffs to establish standing in privacy-related actions more generally.
On August 28, the Federal Trade Commission (FTC) filed an administrative complaint against medical testing laboratory LabMD based on allegations that the company engaged in “unfair acts or practices” by failing to employ “reasonable and appropriate measures to prevent unauthorized access to personal information.” The FTC’s action in this case stems from an incident in which a file containing personal information on approximately 9,300 individuals allegedly was shared on a peer-to-peer (P2P) network from a company computer with P2P file-sharing software installed. The complaint follows other recent FTC actions in which the agency has relied on its Section 5 authority under the FTC Act to claim that companies’ exposure of data to P2P networks constituted an unlawful, unfair data security practice. The FTC’s action against LabMD makes clear that institutions governed by the Health Insurance Portability and Accountability Act (HIPAA) must also be mindful of the FTC’s increasing enforcement activity related to security controls, including actions against healthcare providers.
Somewhat of a furor has been caused in Hong Kong by the decision of the Office of the Privacy Commissioner for Personal Data to issue an enforcement notice to stop a company from supplying data on individuals obtained from publicly available litigation and bankruptcy records via a smartphone application, claiming that the company “seriously invaded” the privacy of those individuals.
In Bloomberg BNA’s Privacy and Security Law Report, Hogan Lovells attorneys Des Hogan, Michelle Kisloff, and Chris Wolf have published an article addressing the increased litigation and regulatory risks that companies must address in the evolving privacy and data security landscape. After summarizing recent developments involving class actions and regulatory activities, the article offers guidance on how companies can reduce their financial and reputational exposure.