Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery


Posted in Litigation
Crowell & Moring

Crowell & Moring has issued its “Litigation Forecast 2018: What Corporate Counsel Need to Know for the Coming Year.”

 The Forecast cover story, “Data, Data Everywhere,” takes an in-depth look at the opportunities and challenges general counsel face in navigating the Big Data revolution.

 While data is a driver for innovation – with the development of artificial intelligence (AI), chat bots, the Internet of Things (IoT), autonomous vehicles, and other technologies – the article examines how it also carries new and unintended implications for regulatory enforcement, product liability, cybersecurity, and intellectual property.

 Be sure to follow the conversation on Twitter with #LitigationForecast.


FERC Proposes to Require Expanded Cyber Security Incident Reporting

Posted in Cybersecurity / Data Security, Data Breach, Government Agencies, Uncategorized
Evan D. WolffMaida Oringher LernerDeborah A. CarpentierMatthew B. WellingMichael Gruden

The Federal Energy Regulatory Commission (“FERC”) recently proposed that the North American Electric Reliability Corporation (“NERC”), which is responsible for promulgating and enforcing FERC-approved mandatory electric reliability standards, revise its Critical Infrastructure Protection (“CIP”) standards to require additional circumstances under which reporting of cybersecurity incidents is mandatory.   FERC’s goal is to enhance the awareness of existing or developing threats, including incidents that might enable future harm to the nation’s bulk electric system.

NERC’s current CIP reliability standard, CIP-008-5 (Cyber Security – Incident Reporting and Response Planning), requires incidents to be reported only if they have compromised or disrupted one or more reliability tasks (i.e., core activities of a responsible entity). Both FERC and NERC expressed concerns that the current standard might understate the scope of cyber-related threats facing the bulk electric system.

In light of concerns that the current standard might understate the scope of cyber-related threats facing the bulk electric system, FERC issued a notice of proposed rulemaking (“NOPR”) directing NERC to broaden CIP-008-5 to:

  1. Include mandatory reporting of cybersecurity incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter or Electronic Access Control and Monitoring System;
  2. Specify the required information in cybersecurity incident reports to improve the quality of reporting and ease of comparison by standardizing information; and
  3. Establish a deadline for responsible entities to submit a detailed report following a compromise or disruption, or an attempted compromise or disruption, is identified.

FERC suggests that the detailed report should be provided to the E-ISAC, similar to the current initial incident reporting scheme, and not to FERC. The new rule would also require reports be sent to the Industrial Control Systems Cyber Emergency Response Team (“ICS-CERT”) and require NERC to file an annual, public and anonymized summary of the reports with FERC. Comments to the NOPR are due February 26, 2018.

FTC Settles First Connected Toy Case With VTech After Massive Data Breach

Posted in Cybersecurity / Data Security, Data Breach, Privacy
Peter B. MillerLauren B. Aronson

On January 8, 2018, the FTC announced settlement of its first connected toy case with VTech Electronics Ltd (“VTech”) for violating the Children’s Online Privacy Protection Act (COPPA) Rules by failing to properly collect and protect personal information about and from children and violating the FTC Act by misrepresenting its security practices. In addition to paying a $650,000 civil penalty, VTech agreed to comply with COPPA, implement and maintain a comprehensive information security program with regular third-party security audits for the next twenty years, and not misrepresent its privacy and data security practices.

The settlement comes more than two years after VTech learned that a hacker had gained remote access to databases for its interactive electronic learning products (ELPs), including for its Kid Connect chat application, in what was described at the time as the largest known hack targeting children. According to the FTC’s Complaint, the hacker accessed VTech’s databases “by exploiting commonly known and reasonably foreseeable vulnerabilities,” and VTech was unaware of the intrusion until it was informed by a reporter. Continue Reading

Comment Period Extended for NIST SP 800-171 Assessment Guide

Posted in Cybersecurity / Data Security, Government Agencies, Government Contracting, Government Regulations & FISMA, Information Management, Public Sectors
Kate M. Growley

Less than two weeks after the National Institute of Standards and Technology (NIST) published a draft version of NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, on November 28, the National Archives and Records Administration (NARA) announced today that the comment period has been extended to January 15, 2018.  This gives interested parties an extra three weeks from the original deadline to provide input on what contractors and their customers may use as a guide to assessing future compliance with the security standard and – importantly – the government contracts regulations that incorporate that standard, including DFARS 252.204-7012 and FAR 52.204-21.

Ninth Circuit: Disclosure of video viewing history constitutes harm sufficient to confer standing in federal court

Posted in Litigation, Privacy
Nathanial J. Wood

The Ninth Circuit Court of Appeals has joined the Third and Eleventh Circuits in ruling that any disclosure of an individual’s online viewing history along with their personally identifiable information confers standing to bring a suit for violation of the Video Privacy Protection Act (VPPA) in federal court.  The case, Eichenberger v. ESPN, Inc., Case No. 15-35449, concerned ESPN’s alleged practice of disclosing to Adobe Analytics the device serial numbers and viewing history of consumers who used its “WatchESPN Channel” application on Roku streaming devices.  Adobe is alleged to have used the information provided by ESPN, in combination with information gathered from other sources, to identify the subscribers and then provide aggregated data to ESPN that was in turn shared with advertisers.  The plaintiff alleged that this practice violated the VPPA’s prohibition on knowing disclosure of personally identifiable information of consumers.  ESPN attacked plaintiff’s claim on two fronts: first, arguing that he did not have standing because he had not suffered an injury, and second, that even if he had standing, it had not shared his “personally identifiable information.”  The district court ruled in his favor on the second point, and the Ninth Circuit took up both issues on appeal.

With respect to the threshold issue of whether the plaintiff had standing to bring a claim based on a bare violation of the statute, the Ninth Circuit ruled that such a violation was sufficient to confer Article III standing.  The court distinguished the case from the Supreme Court’s decision in Spokeo, Inc. v. Robins, where the high court ruled that a procedural violation of a statute, without more, did not grant a plaintiff standing to seek redress in federal court.  Here, in contrast, according to the Ninth Circuit, ESPN’s alleged conduct violated the substantive provisions of the VPPA—the right to “retain control over their personal information.”  In so ruling, the court rejected ESPN’s argument that the VPPA requires an allegation of some harm in addition to the privacy violation.

Plaintiff, however, did not fare so well on the second issue presented in the appeal—whether his Roku device serial number constituted “personally identifiable information” under the statute.  The court observed that this term can cover information that can be used to determine a person’s identity, but ultimately concluded that it was not to expansive as to include the serial number of a device, even if a data aggregator could use that number to ferret out an individual’s identity.  The court adopted the Third Circuit’s “ordinary person” test, which asks whether an ordinary person could use the information to identify an individual.  Concluding that an ordinary person could not use a serial number to identify the owner of the device, the Ninth Circuit affirmed the district court’s dismissal of the action.

This decision automatically confers standing on plaintiffs in the states covered by the Ninth Circuit to bring actions against video content providers who share their personally identifiable information without authorization, even absent some other form of harm.  But, it provides some room for those providers to share such information with third parties if an “ordinary person” would not be able to use the information to identify an individual, apparently even if it is disclosed to a third party expressly for the purpose of de-anonymizing it.  Internet video content providers located within the Ninth Circuit would do well to review their data-sharing practices and privacy disclosures in light of this decision, particularly given the steep statutory penalties available to consumers for violation of the VPPA.

Can You Copyright Infringe Anonymously? Revisited.

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation
Joe MeadowsLaura Aradi

On November 28, 2017, the Sixth Circuit, in a 2:1 decision, ruled on the anonymous copyright infringement case we discussed back in April. The central issue in the case involved whether an adjudicated copyright infringer can remain anonymous. A decision in favor of the infringer could encourage anonymous unlawful speech. A decision in favor of the judgment plaintiff could encourage suits designed only to “out” the name of an anonymous critic.

In a case of first impression, the Sixth Circuit didn’t make a final decision. See Signature Management Team, LLC v. Doe, No. 16-2188, 2017 WL 5710571 (6th Cir. Nov. 28, 2017).

The Court remanded the case back to the district court to balance the infringer’s anonymity interest against both the judgment plaintiff’s interest in unmasking the infringer and the public’s interest in open judicial proceedings, with a presumption in favor of disclosure of the infringer. In short, the Court held that the infringer’s anonymity was not automatically lost upon his defeat in the litigation … at least under these circumstances. Continue Reading

Law Firm Data Security Seminar

Posted in Cybersecurity / Data Security, Data Breach, Ethics
Crowell & Moring

Please join us for a seminar on December 5 in Washington, D.C. or December 6 in New York City on “Law Firm Data Security”. Our very own Partner Evan Wolff will be presenting alongside RSA’s Doug Howard and Niloofar Howe. Our panelists will cover all sorts of critical issues such as:

  • How to defend high-demand data?
  • Cyber-attack response readiness
  • What is your ethical obligation regarding data security knowledge and mitigating the risk of a data breach?
  • What are the “reasonable safeguards” for a given matter?
  • Are you leveraging state-of-the-art technology?
  • Can you assure your clients that their data is secure?

Click here to sign up and see the full agenda and panelists.

Report on the Autonomous Vehicle Safety Regulation World Congress 2017

Posted in Cybersecurity / Data Security, Privacy, Product Liability & Torts
Cheryl A. FalveyChahira Solh

The big takeaways from The Autonomous Vehicle Safety Regulation World Congress centered on the importance of a federal scheme for AV regulation and the reality of the states’ interest in traditional issues such as traffic enforcement, product liability, and insurance coverage.  In keeping with those messages, the World Congress kicked off with NHTSA Deputy Administrator and Acting Director, Heidi King, speaking about NHTSA’s goals and interest followed almost immediately with wide participation from the states including California, Michigan, and Pennsylvania, among others.

Deputy Administrator King emphasized NHTSA’s desire to foster an environment of collaboration among all stakeholders, including the states.  Ms. King emphasized that safety remains the top priority at NHTSA.  NHTSA has provided some guidance, and looks forward to hearing from stakeholders about the best way to support and encourage growth in autonomous vehicles.  NHTSA wants to provide a flexible frame work to keep the door open for private sector innovation.  It is necessary to build public trust and confidence in the safety of autonomous vehicles, and that can only accomplished by all stakeholders working together.

NHTSA is working on the next version of AV guidance, having already issues its 2.0 version, with an expected release of 3.0 in 2018.  The guidelines will remain voluntary, but NHTSA is ready to support entities as they try to implement the voluntary guidance.  Working with the states, DOT, OEMs, and other stakeholders, NHTSA hopes to continue to be flexible and allow for rapid changes.  Later in the conference lawyers emphasized the importance of compliance with the guidance in minimizing liability particularly in no-fault states such as Michigan.

Dr. Bernard Soriano, deputy director, California Department of Motor Vehicles, similarly confirmed that California’s overarching interest in regulating AV is the safe operation of vehicles on its roadways.  In summarizing California’s recent October 11, 2017 release of revised regulations, he emphasized that “change happens fast,” and that the state is pleased to now be close to allowing completely driverless testing.  He recognized the federal preemption on the design of the vehicle and its crashworthiness and emphasized the state’s interest in the operation of the vehicles and compliance with state traffic laws. Continue Reading

Join Us for a Webinar – Tuesday, October 10, 2017 12:00 – 1:00 PM ET

Posted in Uncategorized
Crowell & Moring

It’s been said that “A lie gets halfway around the world before the truth can even pull its boots on.” In today’s world of online commentary and social media, this is truer than ever.

In the cyber-world, you or your company may be accused of selling defective goods, providing poor service, misleading customers, defrauding the government, or committing unethical or criminal conduct. These accusations can appear in e-mails to your clients or government enforcement agencies, as posts on blogs or company websites, or in streamed videos on social media. What’s more, they can be made or circulated by competitors or persons cloaked behind the anonymity of the internet, making it difficult (but not impossible) to hold responsible persons accountable.
As a result, internet defamation cases are on the rise. A surprise reputational attack in the cyber-world requires quick thinking and a game plan.

Please click here to register for this webinar, or click here to view the event on

This 60 minute webinar will cover the:

  • types of growing internet defamation (and sometimes intellectual property infringement) cases
  • “hot” litigation issues, including First Amendment anonymity, Communications Decency Act Section 230, and personal jurisdiction issues
  • related anti-SLAPP statute issues
  • steps to defend your online reputation


DOJ Asks Supreme Court to Resolve Split over Its Ability to Compel Foreign Records

Posted in Criminal Law, Cybersecurity / Data Security
Paul RosenChris Garcia

U.S.-based technology companies and courts across the country have disagreed over the extraterritorial application of the Stored Communications Act in allowing U.S. law enforcement to enforce warrants to reach data stored overseas.  Some courts have treated the data stored overseas as a “physical” object  and, therefore, refused to extend the reach of the Act abroad.  Other courts have found that the Act authorized a warrant for overseas data because the technology company was subject to the court’s jurisdiction and the warrant sought information from the only place the company could access it. Companies have called on Congress to help clarify the issue, and the government has also appealed to the Supreme Court to do the same.

Click here to read more.