Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

SAFETY ACT LIABILITY PROTECTIONS WILL BE TESTED

Posted in Cybersecurity / Data Security, Government Agencies, Government Contracting, Government Regulations & FISMA, Litigation
Evan D. WolffMaida Oringher LernerMatthew B. Welling

After over a decade, the first action has been filed that may test the bounds of the Support Anti-Terrorism by Fostering Effective Technologies Act (“SAFETY Act”) of 2002. MGM Resorts International recently filed suit related to the October 2017 Mandalay Bay country music concert shooting, asking a federal court to rule that it cannot be held liable because the security technology used at the concert was certified by the Department of Homeland Security (“DHS”) under the SAFETY Act.

The SAFETY Act, enacted as part of the Homeland Security Act of 2002 (Pub. L. No. 107-296), provides incentives for the development and deployment of anti-terrorism technologies, including products, services and software (or combinations thereof), by creating systems of risk and litigation management. To benefit from SAFETY Act protections, a company must apply to DHS for approval of its technology as a qualified anti-terrorism technology (“QATT”). Upon submission of a SAFETY Act application, DHS engages in a detailed evaluation of the technology, including the effectiveness of the technology’s anti-terrorism capability.

Once a technology is deemed qualified, it is entitled, under federal law, to significant limitations on liability which may otherwise stem from a designated “act of terrorism.” For technology DHS “certifies” as qualified under the Act, the owner, seller and/or provider of the QATT is presumptively entitled to immunity from all tort claims for damages arising out of an act of terrorism associated with the protect or service. Alternatively, if the product or service receives a “designation” under the Act, potential tort liability is limited to the amount of insurance that DHS determines the applicant should maintain in connection with such losses. Significantly, the SAFETY Act affords protection not only to the owner of the QATT, it also protects other entities in the supply and distribution chains for the QATT products and services.

While DHS has approved over 800 SAFETY Act applications to date, the MGM suit is the first where a defense under the Act has been raised before a court. A key issue in the MGM suit will be whether the shootings were an “act of terrorism” under the Act. Because the suit is the first to raise a defense under the Act, the case will likely be of interest broadly to companies owning or deploying SAFETY Act QATTs, as well as those considering applications to DHS.

Upcoming NIST Hosted DFARS Safeguarding Clause & CUI Training – October 18, 2018

Posted in Cybersecurity / Data Security
Evan D. WolffMaida Oringher LernerPeter B. MillerKate M. GrowleyMichael Gruden

The National Institute of Standards and Technology (“NIST”) is hosting a cybersecurity workshop on the Defense Federal Acquisition Regulation System (“DFARS”) Safeguarding Clause and related regulations on Thursday, October 18, 2018.  The workshop, in coordination with the Department of Defense (“DoD”) and the National Archives and Records Administration (“NARA”), will provide an overview of Controlled Unclassified Information (CUI), the DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting Clause, and NIST Special Publications 800-171 and 800-171A. The workshop will be webcast and held at NIST in Gaithersburg, MD.

In the event that you are unable to attend, Crowell & Moring attorneys will be in attendance and can provide a summary of notable takeaways from the workshop.

A draft agenda and on-site registration are available here.  

Colorado’s New Data Privacy Bill Increases Notification and Safeguarding Requirements

Posted in Cybersecurity / Data Security, Privacy
Evan D. WolffMaida Oringher LernerMatthew B. WellingMichael Gruden

The Colorado legislature recently passed a new data privacy law, House Bill 18-1128, which heightens requirements for corporate and public entities handling personal information of Colorado residents.  Effective September 1, 2018, the law aims to strengthen consumer data privacy by 1) shortening the time frame required to notify affected Colorado residents and the Attorney General of a data breach within 30 days of determining a data breach occurred; 2) requiring business and third party entities to adopt “reasonable security procedures” to safeguard personally identifiable information (“PII”) handled; and 3) imposing data disposal rules for such entities.

Notable provisions of the bill include:

  • Expanding the Definition of Personal Information: The Colorado bill expands the definition of PII to a resident’s first name or first initial and last name plus one or more additional element: 1) Social Security Number or Personal ID Number; 2)  Passport Number; 3) Driver’s License or ID Card Number; 4) Employer, Student, or Military ID Number; 5) Password or Passcode; 6) Biometric Data; or 7) Financial Transaction Device (e.g., credit or debit card, etc.).
  • Increasing Data Safeguarding and Disposal Responsibilities:  Entities that possess PII of Colorado residents are required to implement “reasonable security procedures” appropriate to the nature of the data and the nature and size of the organization.   Entities must also maintain a written policy requiring destruction of PII when it is “no longer needed” in order to make the data “unreadable or indecipherable.”
  • Third Party Enforcement:  Entities that provide PII to a third party service provider must require that third party to implement and maintain the same reasonable security procedures as required of the entity.  However, an entity may decide to provide its own reasonable security protection for the information it provides to the service provider in order to eliminate the third party enforcement requirement.

For further information, please contact one of the attorney authors or your regular C&M professional.

The CLOUD Act and the Future of International Access to E-Evidence

Posted in Cloud Computing, Criminal Law, Cybersecurity / Data Security, Government Agencies, Preservation, Privacy
Joanne OleksykStephen M. Byers

Attorney General Jeff Sessions and EU Justice Commissioner Věra Jourová have met twice over the last two weeks, signaling momentum towards a new EU-U.S. solution for the sharing of electronic evidence. These meetings occurred in the wake of proposed regulations on the sharing of electronic evidence in the EU, and the passage of the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) in the United States. The CLOUD Act, passed as a rider to the omnibus spending bill in March 2018, clarifies that warrants and subpoenas issued under the Stored Communication Act can reach data stored overseas and provides a streamlined process for foreign governments to obtain data stored in the United States.

Although the CLOUD Act establishes the government’s right to obtain data stored abroad under U.S. law, electronic communication or storage providers could have conflicting obligations under the laws of other countries. The CLOUD Act partially addresses this conflict by creating a process by which a recipient of legal process under the SCA can challenge it. But this challenge process is limited. Providers can only challenge the legal process due to conflicting obligations under another the law of a foreign government if (a) the subscriber whose information is sought is not a U.S. person or resident and (b) the foreign government has entered into an “Executive Agreement,” as defined by the CLOUD Act.

Executive Agreements under the CLOUD Act are agreements between the United States and a foreign government that allow each party reciprocal rights of access to data. An Executive Agreement would allow a foreign government to issue an order for electronic evidence to a provider subject to U.S. jurisdiction where the order is (a) issued in compliance with the domestic law of that country; (b) founded on reasonable justification; (c) related to the investigation of a serious crime; and (d) targets a non-U.S. person.

The Executive Agreement framework marks a substantial departure from prior practice, which required use of the Mutual Legal Assistance Treaty (MLAT) process to obtain data located in a foreign country. Where a foreign country seeks data stored in the U.S., the MLAT procedure requires an order to be issued by a United States magistrate judge. The Executive Agreement eliminates this ex-ante judicial check on foreign demands for data. As of May 24th, negotiations with foreign governments over Executive Agreements had not yet begun, although the Department of Justice has indicated that several foreign governments have expressed interest.

As domestic and foreign laws are updated to account for the trend of data becoming increasingly untethered to geographic location, greater international harmonization is necessary. Without harmonization, providers can face circumstances where the law of one country requires disclosure that the law of another prohibits. The CLOUD Act takes a step towards harmonization by creating the challenge process, but it presupposes that countries will enter into Executive Agreements under its terms. EU Justice Commissioner Věra Jourová has already been critical of this aspect of the CLOUD Act, tweeting that it “narrows the room for the potential compatible solution between EU-US.” Should countries find the CLOUD Act’s requirements for Executive Agreements untenable, the CLOUD Act’s legacy may be as an obstacle to rather than a tool for international electronic communication or storage providers.

 

Seventh Circuit Revives Data Breach Case Despite No Evidence Of Monetary Harm

Posted in Cybersecurity / Data Security
Nathanial J. WoodMatthew B. Welling

The U.S. Court of Appeals for the Seventh Circuit (the “7th Circuit”) recently issued an opinion in Heather Dieffenbach, et al. v. Barnes & Noble, Inc. that is potentially concerning for current and potential defendants in class action claims related to data breaches.  The case relates to a 2012 incident where Barnes & Noble discovered that attackers had compromised some of the PIN pads they used to verify customer payment information.  The attackers then used these devices to acquire customer data including names, payment card information and PINs. 

Because of this incident, some Barnes & Noble customers temporarily lost use of their funds while waiting for their banks to reverse unauthorized charges, spent money on credit monitoring services, and lost time dealing with impacts of this data breach.  Suing under Illinois and California state law, plaintiffs seek to collect damages from Barnes & Noble, as well as the data thieves.

Barnes & Noble moved to dismiss the complaint.  The district court granted Barnes & Noble’s motion in 2013, holding that the representative plaintiffs suffered no loss and therefore lacked Article III standing to bring their claims.  But subsequent 7th Circuit case law undercut that ruling, as the Circuit court held in Remijas (2015) and Lewert (2016) that customers who experience a loss of data have standing.  The district court, bound by those decisions, held that the plaintiffs had standing, but nevertheless dismissed plaintiffs’ complaint, finding that it did not adequately plead damages for any of the alleged claims.

The 7th Circuit reversed the trial court’s decision, in an expansive ruling that appeared determined to find standing and permit the case to advance.  With respect to the California plaintiff, the court permitted the plaintiff’s claims to survive based on the “damages” allegations that she did not have access to certain funds for three days and was inconvenienced by having to take time “sorting things out” as a result of the breach.  In so doing, the court was dismissive of California law holding that time spent filling out paperwork is insufficient to allege damages, and relied on factually distinguishable and unpublished California authority (which is not precedential, and may not even be cited under California procedure) to find that loss of use of money was a cognizable form of damages.  And for the Illinois plaintiff, who alleged she had purchased credit monitoring as a result of the breach, the Seventh Circuit flatly disregarded published Illinois appellate authority rejecting the plaintiff’s alleged damages theory, on the basis that the court believed—without citation to any Illinois state authority—that the Illinois Supreme Court would not agree with the state appellate court.    

While the court somewhat tempered its decision by declaring that the question of whether Barnes & Noble violated any state laws by failing to prevent the thieves from stealing customer information remained open on remand, and questioned whether a class could be certified, this decision should nevertheless be concerning to companies in the Seventh Circuit who, like Barnes & Noble, find themselves victims of data thieves, even where years have passed and it is clear that the impacts to consumers are de minimis.

Political Data Firm Improperly Accessed Facebook Users’ Data

Posted in Cybersecurity / Data Security
Jeffrey L. PostonPeter B. MillerBrandon C. Ge

Facebook faces government investigations on both sides of the Atlantic after recent revelations that Cambridge Analytica, a British political data firm with ties to President Trump’s 2016 campaign, collected and used the personal information of more than 50 million Facebook users in a manner that violates Facebook’s stated policy regarding access, disclosure, and use of personal information. Legislators in the U.S. and the UK have called for hearings.

The Federal Trade Commission (“FTC”) has confirmed it is conducting an investigation into whether Facebook violated the terms of its November 2011 consent decree requiring it to, among other things, “not misrepresent . . . the extent to which it maintains the privacy or security of [personal] information,” and “establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of [personal] information.” Several state attorneys general have also announced investigations, and Facebook faces at least one a shareholder lawsuit alleging that Facebook did not properly disclose the third-party access to users’ personal information. Continue Reading

Ninth Circuit Revives Data Breach Class Action, Finds Risk of Identity Theft Without Actual Harm Sufficient to Establish Standing

Posted in Uncategorized
Brandon C. GeNathanial J. WoodJeffrey L. Poston

Last week, the U.S. Court of Appeals for the Ninth Circuit revived a class action lawsuit related to a 2012 data breach, determining that the future risk of identity theft suffices to establish Article III standing, even where there has been no actual harm. At issue in the case, In re Zappos.com, was whether the plaintiffs had standing to bring claims based on a January 2012 data breach where hackers allegedly stole the personal information of more than 24 million Zappos.com Inc. customers—names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information.

The decision is likely to have a significant impact on data breach litigation given the number of such cases filed in the Ninth Circuit. The circuits are currently split on the standard for establishing Article III standing in data breach litigation, a split that will likely continue until the Supreme Court addresses the issue.

The Ninth Circuit’s decision also creates a need for companies to revisit their standard breach notification language, as the court revived the claims against Zappos in part because Zappos warned its customers in its notice that they should consider changing their passwords due to the breach, which the court considered evidence that consumers were at risk of harm from the incident.

Click here to read Crowell & Moring’s full alert.

PayPal Settles FTC Claims Regarding Venmo’s Disclosure, Privacy, and Security Practices

Posted in Cybersecurity / Data Security
Brandon C. GePeter B. Miller

On February 27, 2018, the Federal Trade Commission (“FTC”) announced a proposed administrative settlement with PayPal, Inc. over allegations that the company failed to make adequate disclosures to users regarding its Venmo peer-to-peer payment service. The settlement underscores the importance of effectively disclosing material information to consumers, including accurately communicating privacy and security practices and user control over optional settings.

Specifically, the FTC alleged that Venmo

Continue Reading

Learn about how Regulation Will Shape Digital Transformation in Crowell & Moring’s 2018 Regulatory Forecast Cover Story: “Digital Transformation: The Sky’s The Limit”

Posted in Cybersecurity / Data Security, Litigation
Crowell & Moring

Crowell & Moring has issued its “Regulatory Forecast 2018: What Corporate Counsel Need to Know for the Coming Year.”

The Forecast cover story, “Digital Transformation: The Sky’s the Limit,” provides a look at how technology is helping companies soar to new heights and how regulation can help companies to succeed.

It is clear digital technology is driving the future of business across a wide range of industries and Washington, as well as state and global regulators, is forging the appropriate balance between fostering innovation and protecting consumers. This report is the companion piece to the firm’s 2018 Litigation Forecast, which was published in January and also focused on the opportunities and challenges general counsel face in navigating the Big Data revolution.

Be sure to follow the conversation on Twitter with #RegulatoryForecast.

 

U.S. Securities and Exchange Commission Ups the Ante for Addressing Corporate Cyber Risks

Posted in Cybersecurity / Data Security
Data Law InsightsPaul Rosen

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) voted unanimously to disseminate its Statement and Guidance on Public Company Cybersecurity Disclosures, an “interpretive guidance” designed to help publicly-traded companies satisfy their cybersecurity risk disclosure obligations. The new guidance supplements the SEC’s initial October 13, 2011 Cybersecurity Disclosure Guidance, which was relatively broad, by: 1) articulating the SEC’s expectations regarding the adequacy of disclosures; and, for the first time, 2) recommending the implementation of policies and procedures that address disclosure controls as well as insider trading.  Continue Reading