A circuit split on whether actual misuse of personal data is required to have standing to assert data breach claims remains unresolved. Last week the Supreme Court rejected a petition to review that issue in CareFirst v. Attias. In CareFirst, the D.C. Circuit joined several other circuits in holding that the threat of misuse of data, in and of itself, gives rise to standing. Other circuits require more concrete harm in the form of actual misuse of data. Until the Supreme Court settles the issue, companies will remain susceptible to data breach lawsuits in jurisdictions adhering to the liberal standard endorsed in CareFirst.
The Supreme Court on Tuesday will hear arguments in United States v. Microsoft Corp., in which the court will decide whether a US technology service provider, Microsoft, must obey a search warrant for data stored in a foreign country. “It’s going to set the tone for cross-border data demands on a global scale,” said Gregory Nojeim, senior counsel and director of the Freedom, Security, and Technology Project at the Center for Democracy & Technology. All briefs and other documents are catalogued here at SCOTUSBlog. We’ll be watching …..
The U.S. Supreme Court heard oral arguments in what may become one of the defining consumer privacy cases of our generation. The central question in Carpenter v. United States asks whether the government violates the Fourth Amendment by accessing an individual’s historical cell phone locations records without a warrant. The Court’s decision, expected by June 2018, could draw a more concrete legal line for what constitutes “reasonable search and seizure” when government agencies seek to gather potentially incriminating smartphone data from third-party communication providers. The outcome of the case may significantly reshape consumer expectations of electronic privacy, and even alter the disclosures companies across all sectors must make in their privacy policies.
Court holds that plaintiff must allege a concrete injury to have standing to sue for a statutory violation; remands for further proceedings
In its just-issued decision in Spokeo, Inc. v. Robins, No. 13-1339, slip op. (May 16, 2016), the Supreme Court has held that a plaintiff bringing suit under a federal statute must allege the existence of a concrete injury in order to have Article III standing to bring that statutory claim.
This ruling disturbs assumptions that animate federal minimum damages statutory class actions. The conventional wisdom has been that if a defendant violates a statute, plaintiff cashes a check. For years, plaintiffs’ class action lawyers have argued that it’s just that simple. A cottage industry in class action litigation has grown up around a daunting alphabet soup of federal enactments – such as the TCPA, FCRA , FACTA and RESPA — which prescribe minimum money damage awards for statutory violations. Statutory awards ranging from $100 to $1,500 per violation for actions such as failing to truncate credit card numbers on transaction receipts (FACTA) or sending unsolicited texts (TCPA) can add up to astronomic exposure when aggregated over classes of tens of thousands of individuals.
We may only be three weeks into 2016, but the Telephone Consumer Protection Act (“TCPA”) has already received a considerable amount of attention this year.
Yesterday, the U.S. Supreme Court determined in Campbell-Ewald Co. v. Gomez, that a defendant could not cut off a TCPA class action lawsuit by making an offer of settlement to the lead plaintiff in an amount that would fully satisfy his claims. Specifically, a defendant company that sent a single SMS text message to the lead class action plaintiff made an offer of judgment for $1503 (i.e., the statutory value of a single TCPA violation, trebled for willful misconduct). The lead plaintiff rejected this offer. Continue Reading Ringing Off The Hook: TCPA Issues Still At Forefront As Calendar Turns To 2016
The month of November is quickly slipping by – this is the time to be looking at the 2014 cybersecurity and data privacy goals and updates and planning ahead.
Our selected bits and bytes for this Monday:
FTC Denies AssertID, Inc.’s Application for Obtaining Verifiable Consent Under the COPPA Rule
The FTC recently announced (press release) that the Commission voted 4-0 to deny AssertID, Inc.’s (“AssertID”or “Company”) application for a proposed verifiable parental consent (“VPC”) method submitted for approval under the Voluntary Commission Approval Process provision of the COPPA Rule (“Rule”). The Company submitted their proposed VPC method, ConsentID, for approval on July 1, 2013, the FTC published the application in the Federal Register on August 21, and the public comment period closed on September 20, 2013. The Commission received six (6) comments on the application and the commentators urged the FTC to deny AssertID’s application on the basis that the AssertID VPC method primarily because the proposed method is not “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent,” as required by Section 312.5(b)(1) of the Rule. You can access our prior blog post describing the AssertID VPC method here.
In its letter to AssertID informing the Company of the Commission’s decision, the FTC stated that the Company has failed to show that its proposed VPC method satisfies the criteria required by Section 312.5(b)(1). Specifically, the Commission expressed concern about the reliability of the social-graph verification method proposed by AssertID, noting, as the commentators on the AssertID VPC method have, that (1) Facebook profiles can very easily be fabricated, in fact, according to Facebook’s 10-Q filing, there are 83 million fake Facebook accounts, and (2) many children under 13 have created social media accounts by falsifying age information. In the Commission’s view, AssertID’s limited beta testing of its VPC method was not sufficient to demonstrate that social-graph identity verification will be effective and sufficiently reliable in verifying in a live environment that the individual providing consent is in fact the child’s parent. The FTC declined to opine on whether the services that AssertID provides on behalf of Web site operators as part of the ConsentID service to satisfy their direct notice obligation under the Rule indeed satisfy the requirements of the Rule, as the Commission did not consider these services integral to the proposed VPC method.
Wall Street Journal – NIST Cybersecurity Framework
Excerpt: “Lawyers say the document will be highly influential, but some have been raising concerns about the privacy portions of the preliminary framework since its release.
In earlier iterations of the framework, “scant attention” was paid to the need for critical infrastructure organizations to address privacy as part of cybersecurity plans, according to a client alert from Mintz Levin.
“That nod to the importance of privacy has been replaced with a detailed methodology to protect privacy and civil liberties,” the alert said, briefly explaining the changes. “These added standards should receive close attention by industry reviewers.””
Payment Card Industry Group Retools Data Security Rules
By Allison Grande
Excerpt: “Companies that process credit card data are required to comply with the standard, which is incorporated by reference in every merchant agreement. A failure to comply could expose the merchant to fines imposed by the card brands, the inability to accept a particular brand, or breach of contract claims, according to Cynthia Larose, the privacy and security practice chair for Mintz Levin Cohn Ferris Glovsky & Popeo PC.
While the changes contained in the latest version of the standard “are not dramatic,” the new version “benefits from many clarifications, real-life examples and flexibility built in to enable merchants to meet the intent of the requirements,” Larose told Law360 on Friday.
For example, the new version adds a “best practices for implementing PCI DSS” section that aims to push companies to make compliance “’continuous’ rather than an annual validation exercise.” It also adds guidance for cloud providers and merchants to clarify that there is “shared responsibility” for complying with the requirements, according to Larose.
“The merchant cannot outsource accountability, as it has shared responsibility with the service provider to comply,” she said. “You can outsource the functionality, but you cannot outsource the potential for liability.””
Law360 – Security Flaws Land ACA Contractors In Legal Crosshairs
By Allison Grande
The report prompted Sen. Orrin Hatch, R-Utah, and others to push legislation that would delay the launch of the exchanges until the government could ensure they had strong protections. But the Internet-based hubs opened for business as scheduled Oct. 1, and their operators have done little in the past month to dispel privacy concerns, according to attorneys.
“We don’t have the information yet to know whether or not the data security risks are real or worse than expected or have been fixed, so our assessment of the privacy risks associated with having so much incredibly sensitive information passing through these systems has not changed since they went live,” said Cynthia Larose, the privacy and security practice chair for Mintz Levin Cohn Ferris Glovsky & Popeo PC.
….Attorneys pointed out that consumers might face an uphill battle in pursuing their claims, given the hurdles plaintiffs have traditionally faced in proving that a loss of sensitive data caused them actual harm.
“It’s been notoriously hard for plaintiffs in data security class actions to maintain their claims, so unless the private cause of action is related to certain information that was compromised, it would be pretty difficult to initiate an action for a breach of the system,” Larose said.
Plaintiffs might also have difficulty pinning liability for the data loss on a responsible entity in the vast web of the exchanges, according to attorneys.
However, some attorneys doubted whether federal and state enforcers would pursue data security violations very aggressively, given their close ties with the exchanges.
“The question becomes, who regulates the regulator?” Larose said.
Written by Paul E. Pelletier
The Chinese Year of the Dragon started with a bang as the Supreme Court issued a much anticipated ruling in this Fourth Amendment case that was neither brave nor innovative. In United States v. Antoine Jones the Court chose to affirm the district and circuit courts’ Fourth Amendment ruling on extremely narrow grounds. Left for another day is the question of the durational limits of covert electronic law enforcement monitoring of a criminal suspect’s public movements. Fourth Amendment connoisseurs who were expecting a blockbuster decision defining the breadth of a person’s privacy rights in the “digital age” must be disappointed.