Uber Data Breach Results in Corporate Cooperation and Executive Conviction

On October 5, 2022, a federal jury in the Northern District of California convicted former Uber Chief Security Officer Joseph Sullivan of obstructing a federal proceeding and misprision of a felony for his role in deceiving management and the federal government to cover up a 2016 data breach that exposed personally identifiable information (“PII”) of approximately 57 million users, including approximately 600,000 drivers’ license numbers, of the ride-hailing service. Sullivan, a former federal prosecutor, appears to be the first corporate executive criminally prosecuted—let alone convicted—for his response to a data security incident perpetrated by criminals. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.

(more…)

, , , , , ,

The FTC’s COPPA Conundrum: Ambiguities in the Rule and a Death of Authoritative Guidance Leave the Agency Vulnerable to Legal Challenges

This article was originally published by the ABA’s ANTITRUST magazine in its Summer 2022 issue.

The Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission’s COPPA-enforcing rule have increasing relevance for all businesses that interact directly with consumers online—including companies that do not regard themselves as marketing directly to children. Both the FTC and state Attorneys General are active in enforcing COPPA, and companies can often be caught off guard by government inquiries scrutinizing their compliance. (more…)

, , , ,
Sean Royall

Dallas, Washington, D.C.

sroyall@sidley.com

Caremark’s Comeback Includes Potential Director Liability in Connection With Data Breaches

Caremark­-based claim against a board of directors alleging a failure to monitor corporate operations has been said to be “the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” or at least to withstand a motion to dismiss.  Yet, Caremark has taken on renewed importance — as noted by this blog — following recent high-profile successes on duty-to-oversee claims, most notably in Marchand v. Barnhill in 2019 and In re Boeing in September 2021, and recent shareholder lawsuits alleging that data breach- and cybersecurity-related failures would have been preventable were it not for oversight failures by corporate officers and directors, are being plead asserting Caremark claims. (more…)

, , ,

DOJ Deploys the FCA on Cybersecurity Fraud

This article originally appeared in Law360 on November 3, 2021.

Sidley lawyers Brenna Jenny and Sujit Raman recently published an article in Law360 entitled How To Minimize FCA Cyber Fraud Enforcement Risk, which analyzes the implications of DOJ’s recent formation of a Civil Cyber-Fraud Initiative to use the FCA to pursue cybersecurity-related fraud.  Although the Initiative focuses generally on government contractors and grant recipients—and does not, by its terms, impose any new cybersecurity requirements—the project promises in particular to attract whistleblowers in the defense industry, as recent years have witnessed high-profile FCA cases implicating alleged cybersecurity non-compliance in that sector.  The healthcare industry may also see a marked increase in cybersecurity-related qui tams, especially in light of a recent Department of Health and Human Services Office of Inspector General report taking the Centers for Medicare & Medicaid Services to task for failing to hold hospitals accountable for the cybersecurity of their networked devices.  Healthcare providers and medical device manufacturers, in addition to other government contractors and grantees, would do well to heed DOJ’s warning that “cybersecurity failures…are prime candidates for potential False Claims Act enforcement.”

(more…)

, ,

How Artificial Intelligence Manufacturers Can Protect Themselves Against Future Negligence Claims

Innovative medical devices have changed the healthcare landscape and will continue making dramatic improvements in patient care. Nevertheless, the growth of such devices will inevitably lead to increased litigation over their alleged failures. All companies developing healthcare tech therefore need to consider measures to protect themselves against potential claims. (more…)

, , ,

Changes to FTC Rulemaking Procedures Herald More Aggressive Action on Consumer Privacy

On July 22, 2021, the Federal Trade Commission finalized important changes to its procedures for rulemaking under Section 18 of the FTC Act. Section 18 authorizes the Commission to make regulations, termed “Trade Regulation Rules,” (or “Magnuson-Moss Rules” after their authorizing statute), which “define with specificity” conduct that violates the FTC Act’s ban on “unfair or deceptive” business practices. Section 18 rules are promulgated through a “hybrid rulemaking” process that includes, if an interested party requests it, an “informal hearing” with limited opportunities for oral presentation and cross-examination by representatives of stakeholder groups. (more…)

, , ,

U.S. Supreme Court Tightens Standing Requirements in TransUnion Decision

On June 25, 2021, the Supreme Court of the United States handed down its decision in TransUnion LLC v. Ramirez, which tightened the Court’s requirements for showing standing and will significantly affect class action litigation, particularly in cases involving causes of action created by federal statute or involving allegations of a potential risk of injury.

(more…)

, , ,

Using Data De-Identification to Protect Companies

Many companies hope to benefit from amassing large amounts of data by mining it for market insights, creating internal business models, and supporting strategic, data-driven decisions. But as companies collect and store increasingly enormous volumes of data, they may unknowingly take on significant legal risks, including potential violations of data privacy laws and increased exposure to U.S. litigation discovery obligations. One way that businesses can mitigate these risks is to de-identify the data they collect and store.

(more…)

, , , , ,

Developments in Cookie Regulation: French CNIL Declares Intent to Audit Websites for Cookie Compliance

On April 2, 2021 the French Data Protection Authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its intent to start auditing websites for compliance with cookie regulations. This publication comes following a large number of developments and actions taken by the CNIL to further improve and guide organizations through cookie compliance. The CNIL had issued several recommendations, guidelines and cookie tools to raise awareness on the importance of this topic, with a final set of guidelines published on October 1, 2020 following public consultation rounds (“Cookie Guidelines”). The CNIL had determined that a 6-month grace period would apply following publication of the Cookie Guidelines. This grace period ended on April 1, 2021 and the CNIL now expects companies to be compliant with its recommendations and guidelines. The CNIL has confirmed that it may make use of the totality of its corrective powers to remedy non-compliance with the rules, including issuing (public) sanctions. In light of the increase in scrutiny on cookies in the EU (and the US pursuant to certain state laws), organizations with websites / platforms operating in the EU (and U.S.) may want to reconsider their cookie practices and start carrying out cookie audits.

(more…)

, , , , , , ,

Supreme Court Considers Injury and Typicality Questions in Case With Implications for Data Breach and Privacy Class Action Litigation

On March 30, 2021, the Supreme Court heard arguments in TransUnion LLC. v. Ramirez, a case in which Respondent Ramirez brought a class action lawsuit against Petitioner TransUnion, alleging that it incorrectly placed a flag on his credit report; the flag suggested that Ramirez was on a list of potential terrorists and criminals maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control (the “OFAC list”) because his name was similar to two individuals whose name were on that list. After Ramirez learned he had been flagged, he requested a copy of his credit report from TransUnion. TransUnion sent him a copy of his credit report, which did not include any reference to the OFAC list, and a second mailing indicating that his name was a potential match for a name on the OFAC list. Ramirez sued on behalf of himself and a class of over 8,000 individuals who received similar mailings, alleging that TransUnion violated the Fair Credit Reporting Act (“FCRA”) by (i) incorrectly flagging him as potentially appearing on the OFAC list and (ii) sending him the information about the potential match separately from his requested credit report, which he argued was confusing because the mailing regarding the OFAC list did not include FCRA-required information about how to dispute and correct the incorrect information.

(more…)

, , ,