This article originally appeared in the Bloomberg BNA Privacy and Security Law Report on May 23, 2016.
In Spokeo, Inc. v. Robins, decided May 16, the U.S. Supreme Court ruled that plaintiffs who allege violations of statutes that contain a private right of action and statutory damages do not have automatic ‘‘standing’’ to sue. The Court instead found that to meet the constitutional requirement of standing, the plaintiff must establish not only the ‘‘invasion of a legally protected interest’’ defined by Congress, but also that the plaintiff suffered a “concrete and particularized” harm to that interest.
On Monday, May 16, the Supreme Court addressed the question of whether an alleged violation of the Fair Credit Reporting Act (FCRA), without allegation of concrete injury, is ever sufficient for Article III standing. The case, Spokeo Inc. v. Robbins, No. 13-1339 (2016), involved a class action against data broker Spokeo Inc.. The plaintiff, Thomas Robins, alleged that Spokeo violated the FCRA by inaccurately reporting online that he was a wealthy, married man with children and a graduate degree when he was actually unmarried and out of work. He argued that those inaccuracies could have hurt his chances with potential employers. The district court dismissed Mr. Robins’s case for failure to show any actual harm from the false information, but in 2014, the U.S. Court of Appeals for the Ninth Circuit allowed the case to move forward based on its analysis that Mr. Robins’s injury allegation was particularized because he alleged that Spokeo violated his individual rights when it handled his information.
On April 26, the US District Court in Seattle granted the FTC’s motion for summary judgment against Amazon for providing allegedly inadequate parental controls to limit their children’s in-app purchases. Case No. C14-1038-JCC. The FTC alleged that the company’s failure to require more robust password re-entry meant that many in-app purchases by children resulted in unauthorized charges to the parents.
In Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016), the U.S. Court of Appeals for the 4th Circuit affirmed the judgment on the reasoning of the federal district court in Virginia (No. 1:13-cv-00917-GBL-IDD), holding that Travelers had a duty to defend Portal in an underlying class action alleging online publication by Portal of confidential patient medical information pursuant to two commercial general liability (CGL) policies Travelers issued to Portal in 2012 and 2013.
*This post originally appeared in Lawfare on February 25, 2016.
Let’s not pretend that that the outcome the Justice Department seeks in the Apple case is limited to only a single case and just this particular phone.
This unquestionably involves a special case. Because of the specter of an ISIS connection, the San Bernardino attacks send chills down the spine of every American. The ISIS connection makes this case different from other cases of homegrown radicalization. And the actual owner of the iPhone has consented to the search.
It is these special characteristics that make the San Bernardino case a compelling vehicle for the FBI to press its concerns about end-to-end encryption on devices and apps. … [Read More]
The European Court of Human Rights (“ECtHR”) ruled earlier this month that an employer’s monitoring of an employee’s personal emails in a work-related Yahoo account was not a breach of the employee’s Article 8 privacy rights (“the right to respect for private and family life, the home and correspondence”). The court’s ruling was not a general approval of employee monitoring, but was dependant on several critical facts, including the employer’s policy completely prohibiting personal communications on work accounts, and the limited nature of the monitoring into only the work account.
*This post originally appeared in Law360 on January 7, 2016.
While 2015 was a big year in data, 2016 may prove to be even bigger. Many hot button and game changing topics are being debated in legislative bodies and campaign trails, regulators are focused, and privacy-related litigation continues to rise. Below, we count down the top ten cybersecurity, data protection and privacy issues to watch in 2016.
On December 18, President Obama signed into law an omnibus spending package for 2016 that included the Cybersecurity Act of 2015 (known in former versions as the Cybersecurity Information Sharing Act). After years of debate, the Cybersecurity Act establishes a framework to facilitate and encourage confidential two-way private sector sharing of cyberthreat information with the federal government and provides liability shields for cyberthreat information sharing, as well as for specific actions undertaken to defend or monitor corporate networks. The Cybersecurity Act also designates the Department of Homeland Security (DHS) to coordinate cyberthreat information sharing.
The Cybersecurity Act has important implications for cooperation among industry participants and with regulatory agencies in development of effective cybersecurity programs. Public-private cyberthreat information sharing is an important step to improve companies’ defenses and responses to the changing cyberthreat landscape. Though the Act is effective immediately, the attorney general and DHS secretary must release guidelines within 90 days.
The second edition of The Privacy, Data Protection and Cybersecurity Law Review appears as the world is converging on more privacy laws that cover more areas of business and are subject to more enforcement. Several Sidley lawyers in the Privacy, Data Security and Information Law practice have contributed to this publication, including Alan Charles Raul, William RM Long, Geraldine Scali, Catherine M. Valerio Barrad, Yuet Ming Tham, Jillian Lee, Takahiro Nonaka, Tasha D. Manoranjan, and Vivek K. Mohan. For a closer look at this developing area of law, please visit http://www.sidley.com/the-privacy-data-protection-and-cybersecurity-law-review-11-2015.
A recent ALJ Initial Decision may prove significant in data breach litigation and provide further aid to companies battling class actions with claims of future injury through identity theft. On November 13, 2015, the administrative law judge hearing the FTC’s action against medical testing laboratory LabMD dismissed the FTC’s case in its entirety. See In re LabMD, Inc., F.T.C. ALJ, No. 9357 (Nov. 13, 2015). The action had its genesis in an investigation of LabMD’s security practices. The investigation began after a report that information from LabMD may have been disclosed on a file-sharing website. The FTC asserted that LabMD had failed to properly protect sensitive data and that information gleaned from its records was being used for identity theft purposes.