On July 14, 2016, the U.S. Court of Appeals for the Second Circuit issued a long-awaited decision that—to the surprise of many observers—rejected the government’s construction of the Stored Communications Act (SCA) and instead embraced a more restrictive view that Microsoft had advanced, backed by much of the tech industry and many privacy groups. Microsoft Corp. v USA, In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation (2d Cir. July 14, 2016)( Docket No. 14‐2985). (Sidley Austin LLP represented a number of amici in support of Microsoft before the Court of Appeals and District Court.) The decision holds that electronic communications that are stored exclusively on foreign servers cannot be reached by U.S. prosecutors under the SCA’s warrant provisions—not even where the warrant is served on a U.S. provider that can access the foreign-stored information, and deliver it to U.S. officials, by using computers and personnel based here in the United States.
The final text of the much anticipated EU-US Privacy Shield has been sent by the European Commission for review and approval to the Article 31 Committee, which includes representatives from all 28 Member States. Approval by the Article 31 Committee will pave the way for a final decision by the Commission adopting the Privacy Shield, expected on 11 July, 2016. If approved, the Privacy Shield will take effect as soon as the US Department of Commerce establishes a new process for US companies that wish to use the Privacy Shield as a legal basis for data transfers of personal data from the EU to certify in accordance with the new framework. Businesses should examine the final Privacy Shield documents and requirements and determine whether to proceed with certification once the Privacy Shield is approved.
As the world began to grapple with the implications of the UK’s vote to withdraw from the European Union, or “Brexit,” the UK Information Commissioner has sought to provide reassurance, issuing a statement reinforcing continuity of data protection principles and a commitment to the digital economy.
The DHS and DOJ have issued final rules and guidance for receipt of cyber threat indicators and defensive measures, including Guidelines for privacy and civil liberties protections. On June 15, the DHS and DOJ announced the release of their joint rules for government handling of cybersecurity information shared by companies, along with expanded guidance for companies wishing to share cybersecurity threat information and take advantage of CISA’s liability shields for certain information sharing and defensive monitoring activities. The newly released rules incorporate and implement provisions of the Cybersecurity Information Sharing Act (CISA) which was passed in December 2015. CISA authorizes and protects information-sharing for certain cybersecurity purposes. It applies to all organizations and it offers companies a broad safeguard from liability for voluntarily sharing “cyber threat indicators” or engaging in certain cybersecurity “defensive measures.”
Securities and Exchange Commission Chair Mary Jo White emphasized the agency’s focus on cybersecurity preparedness and response at a conference in Washington, D.C. in mid May, stating “we can’t do enough in this sector.” Reuters reports that Chair White views cybersecurity as the biggest risk facing the financial system, quoting her as saying that “what we [have] found…is a lot of preparedness, a lot of awareness but also….policies and procedures [that] are not tailored to [entities’] particular risks.”
This article originally appeared in the Bloomberg BNA Privacy and Security Law Report on May 23, 2016.
In Spokeo, Inc. v. Robins, decided May 16, the U.S. Supreme Court ruled that plaintiffs who allege violations of statutes that contain a private right of action and statutory damages do not have automatic ‘‘standing’’ to sue. The Court instead found that to meet the constitutional requirement of standing, the plaintiff must establish not only the ‘‘invasion of a legally protected interest’’ defined by Congress, but also that the plaintiff suffered a “concrete and particularized” harm to that interest.
On Monday, May 16, the Supreme Court addressed the question of whether an alleged violation of the Fair Credit Reporting Act (FCRA), without allegation of concrete injury, is ever sufficient for Article III standing. The case, Spokeo Inc. v. Robbins, No. 13-1339 (2016), involved a class action against data broker Spokeo Inc.. The plaintiff, Thomas Robins, alleged that Spokeo violated the FCRA by inaccurately reporting online that he was a wealthy, married man with children and a graduate degree when he was actually unmarried and out of work. He argued that those inaccuracies could have hurt his chances with potential employers. The district court dismissed Mr. Robins’s case for failure to show any actual harm from the false information, but in 2014, the U.S. Court of Appeals for the Ninth Circuit allowed the case to move forward based on its analysis that Mr. Robins’s injury allegation was particularized because he alleged that Spokeo violated his individual rights when it handled his information.
On April 26, the US District Court in Seattle granted the FTC’s motion for summary judgment against Amazon for providing allegedly inadequate parental controls to limit their children’s in-app purchases. Case No. C14-1038-JCC. The FTC alleged that the company’s failure to require more robust password re-entry meant that many in-app purchases by children resulted in unauthorized charges to the parents.
On April 29, 2016, the FBI published an alert regarding “Incidents of Ransomware on the Rise.”
The piece provides FBI guidance on how to protect organizations, as well as the FBI’s recommendation not to pay the ransom (though in practice, they have acknowledged that it may be necessary to do so if no backup is available for essential data).