Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

New Texas Law Explicitly Allows Driverless Cars

Posted in Cybersecurity / Data Security
Jeffrey L. PostonBrandon C. Ge

On June 15, Texas Gov. Greg Abbott signed a bill that explicitly allows self-driving cars on the state’s roads and highways, regardless of whether a human is physically present. While there was no ban on driverless cars, Texas law did not explicitly permit them either. This created a grey area of the law that fueled apprehension among manufacturers about testing self-driving cars in Texas.

Senate Bill 2205 allows driverless vehicles to operate in the state as long as the vehicle is:

  • Capable of operating in compliance with state traffic and motor vehicle laws;
  • Equipped with a recording device;
  • Equipped with an automated driving system that complies with applicable federal law and federal motor vehicle safety standards;
  • Registered and titled in accordance with Texas law; and
  • Covered by motor vehicle liability coverage or self-insurance.

With the new law, Texas joins a growing list of states that officially permit driverless cars on public roads, setting up the stage for the eventual rollout of autonomous vehicles to consumers. But while the technology has remarkable potential, it also raises significant privacy and security concerns. Autonomous vehicles are data-gathering machines and may log historic and real-time geolocation data, which will likely be highly coveted for its ability to reflect individuals’ lifestyles and purchasing habits. Cybersecurity is another major issue – for example, how will collected data be stored or transmitted? In addition, vulnerabilities may allow hackers to hijack and steal self-driving cars or interfere with their safety.

Judge Approves Neiman Marcus Data Breach Settlement

Posted in Cybersecurity / Data Security, Data Breach
Jeffrey L. PostonBrandon C. Ge

Last week, an Illinois judge preliminarily approved a $1.6 million settlement between Neiman Marcus and a class of customers affected by a 2013 data breach. The settlement, which the parties agreed to in March, covers U.S. residents whose credit card or debit card was used between July 16, 2013 and January 10, 2014 at any Neiman Marcus store. Any such customers who file a claim will receive up to $100, with the four class representatives receiving $2,500 each. The settlement does not require Neiman Marcus to take any specific security-related measures.

The 2013 data breach, which was the result of malware installed in Neiman Marcus’s computer system, potentially exposed approximately 370,385 cards. Approximately 9,200 of these were later used fraudulently. The suit was filed in March 2014 and was initially dismissed for a lack of standing in September 2014. The Seventh Circuit later revived the case, finding that any costs for fraud prevention such as credit monitoring were sufficient to establish standing.

Nevada Enacts Internet Privacy Regulation

Posted in Internet of Things, Privacy
Jeffrey L. PostonLeigh Colihan

On June 12, Nevada Gov. Brian Sandoval (R) signed into law a bill requiring the operator of an Internet website to disclose the type of information it collects on Nevada residents.  Under the law, any company or person who (1) owns or operates an Internet website or online service for commercial purposes, (2) collects information about individuals residing within Nevada, and (3) maintains minimum contacts with Nevada must make available a notice listing the personally identifiable information the operator is collecting on consumers.  The operator must also disclose whether it allows third-party access to the personal information and must notify the consumer of any process to review and request changes to any of his or her covered information.  If not in compliance, the operator has 30 days to remedy a failure to comply or face a civil penalty imposed by the state attorney general.

Other states have submitted similar legislation to enhance Internet privacy laws following President Trump’s repeal of the Federal Communications Commission’s broadband privacy rules.  For example, Illinois’s “Right to Know” bill passed the Senate and now is pending before the House before it can be brought to a vote.  The Illinois bill requires websites to notify consumers about what data the companies collect and to whom they sell the data.  As more states propose and pass their own regulations, compliance for companies could become challenging if the requirements vary, mirroring the oft-cited “patchwork” of state data breach notification laws.

Data Breach Class Action Dismissed for Not Establishing Economic Injury

Posted in Data Breach, Litigation
Jeffrey L. PostonBrandon C. Ge

Earlier this week, a federal Illinois court dismissed a class action against book retailer Barnes & Noble that alleged breach of contract, invasion of privacy, and violations of state consumer fraud and breach reporting laws. The case, dismissed for failing to establish economic harm, marks another data point in demarcating actionable data breaches and highlights perhaps the most challenging issue for plaintiffs in data breach class actions.

The complaint stemmed from a data breach that Barnes & Noble suffered in 2012 where hackers tampered with PIN pad terminals in 63 Barnes & Noble stores across nine states, compromising customers’ credit card and debit card information. The Court previously ruled that the plaintiffs had to allege economic or out-of-pocket damages caused by the data breach in order to state a claim.

The U.S. District Court for the Northern District of Illinois ruled that the plaintiffs’ alleged injuries to the value of their personally identifiable information, time spent with bank and police employees, and emotional distress were insufficient to state a claim. Similarly, although the plaintiffs alleged a temporary inability to use their bank accounts, they failed to demonstrate how this inconvenience caused any monetary injury. The plaintiffs’ lost cell phone minutes in speaking to bank employees and purchases of credit monitoring were also deemed insufficient to state a claim.

Supreme Court to Hear Major Cellphone Privacy Case

Posted in Admissibility, Litigation, Privacy
Jeffrey L. PostonBrandon C. Ge

Yesterday, the Supreme Court announced that it will hear a case with significant ramifications for privacy in the digital age. The case involves a man convicted of armed robbery based in part on cellphone location data obtained without a probable cause warrant. The conviction was appealed at the Sixth Circuit Court of Appeals, which held that the Fourth Amendment does not require a warrant under such circumstances.

While the Supreme Court has recently restricted the search of cellphone contents and the use of GPS devices by law enforcement, it ruled in 1979 that a robbery suspect had no reasonable expectation of privacy in numbers dialed from his phone because the suspect had voluntarily turned this information to the phone company. Relying on this “third-party doctrine,” federal appeals courts have generally agreed that the Fourth Amendment does not protect cellphone location data because customers routinely provide this data to cellphone companies.

Cellphone carriers can track individuals’ approximate locations based on which signal towers the cellphone can reach, and law enforcement officials frequently obtain such information to assist in investigations. This case, likely to be heard in the fall, gives the Supreme Court an opportunity in the digital age to clarify privacy rights in such records.

The PRC Cybersecurity Law Takes Effect

Posted in Cybersecurity / Data Security, Government Regulations & FISMA
Jeffrey L. PostonPaul RosenBrandon C. Ge

The first comprehensive data protection framework in China’s history, the PRC Cybersecurity Law, takes effect today, June 1, 2017, despite concerns from businesses around the world about the law’s stringency and scope. The law will carry with it the authority to impose fines up to approximately $145,000.00 per violation in addition to various administrative and criminal penalties.

The PRC Cybersecurity Law requires the implementation of administrative and technical security safeguards, restricts the cross-border transfer of personal information and “important data” collected through operations in China, and mandates the protection of personal information.

While much of the law remains murky, the PRC Cybersecurity Law will likely impact companies of all sizes that do business in China, including those that do not have a physical presence there. Companies should carefully review their practices to determine how the new requirements – particularly those relating to data localization and the PRC’s potential access to that data – impact their operations in China.

Click here to read Crowell & Moring’s full alert on the PRC Cybersecurity Law.

Gunning For An Anonymous Internet Defamer or Infringer’s Identity …

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation
Joe Meadows

… outside your main jurisdiction can have collateral consequences.

In Gunning v. Doe, 2017 WL 1739442 (Me. May 4, 2017), Maine’s highest court just dodged the issue of the applicable First Amendment test for the disclosure of an anonymous speaker accused of defamation.  Instead, it deferred to California’s test.  Why?  Collateral estoppel:  the defamation plaintiff lost her effort to subpoena a California website host for identifying information of the John Doe defendant, and that decision barred the plaintiff from relitigating the disclosure issue in Maine.  Continue Reading

Can You Copyright Infringe Anonymously?

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation
Joe Meadows

Yesterday, the Sixth Circuit heard an anonymous copyright infringement case of first impression. See Signature Management Team, LLC v. Doe, No. 16-2188 (6th Cir.). The issue: whether an adjudicated copyright infringer can remain anonymous.

The infringer said he can.

“John Doe” appeared in the case through counsel and defended against Signature’s infringement claim. He lost. But he maintained his right to anonymity under the First Amendment. According to Doe, a court should balance a defendant’s right to remain anonymous against a plaintiff’s need for the defendant’s identity at all stages of litigation, including post-judgment. And here, as the lower court held, Signature prevailed but it didn’t need Doe’s identity where no damages were sought and Doe agreed to cease the infringement. Continue Reading

What’s Next For Federal Anti-SLAPP Legislation

Posted in Cybersecurity / Data Security, Government Regulations & FISMA
Clifford J. ZatzJoe MeadowsLaura Aradi

Congress may re-introduce federal anti-SLAPP legislation this session.  Similar bills in 2009, 2012, and 2015 never made it out of committee.  Our Law360 article identifies several areas to improve on a fourth attempt to enact a universal anti-SLAPP law.  The article also highlights the constant battle between First Amendment rights and rights to protect one’s name and business.  There’s room for a middle ground by drafting a narrow definition of “matter of public concern,” setting reasonable dismissal and disclosure standards, including limited discovery, and restricting removal of cases to only those involving the First Amendment.

Go to article

Court Allows Data Breach Claims Against Kimpton

Posted in Data Breach, Privacy
Maida Oringher LernerKate M. GrowleyCharles Austin

On April 13, a federal court ruled that theft of credit card information, even prior to misuse of that data, could permit a plaintiff to pursue claims based on a 2016 data breach at certain Kimpton hotel properties.  In Walters v. Kimpton Hotel & Restaurant Group, the court denied in part Kimpton’s motion to dismiss and rejected Kimpton’s position that actual injury, for standing purposes, requires unauthorized charges or other misuse of payment data.  Based on the allegations, the court found it plausible that, given the dates the plaintiff stayed at an affected hotel, the plaintiff’s payment card information “was taken in a manner that suggests it will be misused.”  It was not necessary, the court concluded, that the plaintiff wait until actual misuse occurred before seeking relief for both the theft and the time and effort spent monitoring his credit and mitigating potential misuse.  The court further ruled that the plaintiff alleged out-of-pocket expenses and other actual damages sufficient to support his claims for implied breach of contract, negligence, and violation of California’s Unfair Competition Law.

The court also found that Kimpton’s privacy policy provided a plausible basis for the existence of an implied contract between Kimpton and its patrons.  Specifically, the court noted that Kimpton’s privacy policy stated that “Kimpton is ‘committed’ to safeguarding customer privacy and personal information,” and that this commitment may create an enforceable promise.