On Friday, the heads of the Federal Trade Commission overruled the decision of the Administrative Law Judge (“ALJ”) in In the Matter of LabMd., Inc. The FTC concluded that the ALJ had erred in dismissing the Commission’s case against a lab testing company LabMD and misapplied the unfairness standard. The key determination by the FTC was that the mere disclosure of sensitive medical information is cognizable harm under Section 5(c) of the FTC Act, 15 U.S.C. § 45(a), irrespective of whether there is further economic or physical harm. What does this mean for privacy enforcement? Read on. Continue Reading FTC Plants A Flag With LabMD Ruling: What This Means for Enforcement
The U.S. Court of Appeals for the Ninth Circuit recently issued a decision that could have far reaching implications for the relationships between companies that provide online services, their customers or users, and third parties. In Facebook v. Vachani, the Ninth Circuit found that Power Ventures violated the Computer Fraud and Abuse Act (“CFAA”) and California Penal Code Section 502. Power Ventures did this by continuing to access Facebook’s computer system after receiving Facebook’s letter to cease and desist such activity. Although Power Ventures had permission from relevant Facebook users, the users’ authorization had been revoked by Facebook itself through its letter.
Vachani’s Business Model
Power Ventures (“Power”), is a company founded by CEO Steven Vachani. As part of its business model, Mr. Vachani operated a social networking site, Power.com. The idea was that Power.com would act as a social network aggregator, by allowing users to see all of their social network contacts across different services on a single page. The user could then use the Power.com service to access the individual social networking sites.
Read on to understand what occurred in the case and what key takeaways it provides for senior decision makers and in-house counsel. Continue Reading Facebook v. Vachani – User Authorization Can Be Revoked By Service Providers
In a terse two-page order, Senior District Court Judge Paul Magnuson dismissed derivative claims brought against officers and directors of Target in connection with the 2013 holiday-season data breach. The dismissed claims, brought by Target shareholders on behalf of the corporation, alleged that the data breach had resulted from management failures by the defendant officers and directors. The Target board of directors appointed a special litigation committee (“SLC”) to investigate the shareholders’ allegations and determine whether or not to pursue the claims. The SLC, composed of two newly-appointed independent directors represented by independent counsel, recommended that Target not pursue claims against the officers and directors. The SLC then moved to dismiss, as did Target and the defendant officers and directors. Plaintiffs declined to oppose and the court’s order followed. Continue Reading Fizzled Suit Against Target Officers and Directors Raises Question as to the Value of Derivative Claims in Data Breach Cases
In a decision favorable to the airline industry—but not helpful to other companies—the California Court of Appeal said that a privacy enforcement action against Delta is not going to fly. On May 25, 2016, the Court of Appeal tossed the California Attorney General’s CalOPPA enforcement action against Delta Airlines, affirming the lower court’s 2013 dismissal of the case with prejudice.
As we previously wrote, California AG’s office has been taking incremental steps toward ensuring that mobile applications comply with CalOPPA. As early as 2012, its office began sending notices of non-compliance to mobile application developers. When some companies failed to respond, the Attorney General chose Delta as its pilot case, promptly filing its first-ever enforcement action under CalOPPA. Over the past three years, we have followed the Attorney General’s CalOPPA compliance campaign, including the Delta case. Continue Reading Delta Wins CalOPPA Case – But Your Mobile App May Not Fly
Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot. The cash and noncash terms of the proposed settlement are unexceptional. What is unusual about this settlement is its timing. According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided. The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side. Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements. Continue Reading Early Settlement of the Home Depot Consumer Data Breach Claims – The Start of a Trend?
Among the major headlines dominating not only the recent news cycle, but also this week’s RSA Conference in San Francisco, has been Apple’s challenge to the federal government’s request that Apple assist in unlocking the iPhone recovered from the perpetrators of the shootings in San Bernardino. On March 1, 2016, the House Judiciary Committee held a hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy” focused on the intersection of the competing values of privacy and security in American society. Testifying before the committee were two panels, one consisting solely of Federal Bureau of Investigation James Comey and the other of Bruce Sewell, Senior Vice President and General Counsel for Apple, Inc.; Cyrus R. Vance, District Attorney for New York County and Professor Susan Landau of Worcester Polytechnic Institute. Continue Reading Apple vs. FBI: The House Judiciary Committee Hearing and Takeaways
A Massachusetts Superior Court judge held that a plaintiff has standing to sue for money damages based on the mere exposure of plaintiff’s private information in an alleged data breach. The court concluded that the plaintiff had pleaded a “real and immediate risk” of injury despite failing to allege that any unauthorized persons had even seen or accessed that information. The Massachusetts decision adopts a more relaxed approach to standing than has generally been followed in the federal courts. The holding, however, may not have broad applicability outside of Massachusetts state court, and does not eliminate potential obstacles to proving the claims asserted. Continue Reading Massachusetts Court: Patients Have Standing to Sue for Data Breach Based on Data Exposure Alone
The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court. The original complaint, which is summarized in this post from 2012, alleged that Wyndham’s claims to use “standard industry practices” and “commercially reasonable efforts” to protect customers’ personal information were deceptive, and its actual practices unfair, in light of the company’s lax security practices. Wyndham argued that the FTC lacks the authority to police data security practices, but in August 2015 the Third Circuit found against Wyndham, holding that the FTC’s authority to take action against a company’s unfair practices extends to enforcement of data security practices.
The proposed settlement, which is in effect for 20 years, reached between Wyndham and the FTC provides the first notice to companies of what they should expect from the FTC in the event of a data breach due to a failure to maintain reasonable data security standards. The various settlement provisions are similar to those imposed in cases brought by the FTC over misrepresentations in privacy policies (as opposed to this case, which involved a suit over the laxity of the company’s actual data security practices).
Those provisions include Wyndham agreeing to undertake the following:
- • Establishment a comprehensive information security program to protect credit card data, which must include risk assessments, reasonable safeguards, and regular monitoring for the next 20 years;
- • Annual information security audits and independent assessments of its compliance with the Payment Card Industry Data Security Standard (PCI DSS) over the next 20 years;
- • Obtain the certification of an independent certified assessor before implementing any “significant change” to its data security practices that the change would not cause it to fall out of compliance;
- • Provide all assessments to FTC;
- • Keep records relied on to prepare each annual assessment for three years; and
- • Submit to compliance monitoring by the FTC.
Notably, and different from the settlements of privacy-related cases, Wyndham will not be required to pay a fine.
The recent data breach of Hong Kong-based electronic toy manufacturer VTech Holdings Limited (“VTech” or the “Company”) is making headlines around the world for good reason: it exposed sensitive personal information of over 11 million parents and children users of VTech’s Learning Lodge app store, Kid Connect network, and PlanetVTech in 16 countries! VTech’s Learning Lodge website allows customers to download apps, games, e-books and other educational content to their VTech products, the Kid Connect network allows parents using a smartphone app to chat with their children using a VTech tablet, and PlanetVTech is an online gaming site. As of December 3rd, VTech has suspended all its Learning Lodge sites, the KidConnect network and thirteen other websites pending investigation. Continue Reading Happy Holidays: VTech data breach affects over 11 million parents and children worldwide
Two years after the massive holiday season theft of customers’ payment card data from Target point of sale terminals, the Target data breach litigation appears to be entering its final act. On Tuesday, December 1, Target entered into a settlement agreement with a class of banks and financial institutions that issued the credit and debit cards that were compromised in the 2013 event. The settlement was the result of negotiations following closely on the heels of an order by the court certifying a card issuer class. This last settlement resolves card issuers’ claims that were not previously resolved in Target’s August 2015 settlement with Visa, which provided $67 million to resolve claims made by Visa card issuing banks under Visa’s fraud resolution process. Also separate from this settlement is the $10 million settlement of the claims of consumers whose cards were compromised by the data theft, which Target concluded with the consumer class in March 2015. Continue Reading Target and Card Issuers Reach Final Data Breach Settlement