Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector. This digest summarizes the most notable events in privacy and cybersecurity.
7th Circuit Lowers “Harm” Barrier in Data Breach Cases
In a move that many predict will open the class action floodgates, the U.S. Court of Appeals for the Seventh Circuit held in the Neiman Marcus payment card breach case that the likely threat of identity theft is enough for Article III standing. The court reasoned that harm exists in the alleged future injuries including loss of time and money protecting against identity theft and fraudulent charges.
Security Researchers Remotely Hack Jeep Cherokee
Fiat Chrysler recalled 1.4 million vehicles after security researchers demonstrated their ability to remotely control a Jeep Cherokee –including its engine, steering, and braking, among other things. The researchers had been sharing their results with the company for months during testing before they publicized their results. In related news, the U.S. Senate introduced the SPY Car Act which would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to set cybersecurity standards for vehicle manufacturers.
FTC Files Complaint Against Lifelock for Violating Previous Settlement Agreement
The Federal Trade Commission (FTC) alleged in a new complaint filed in federal court that identity theft protection and credit monitoring service Lifelock failed to live up to its data security obligations under its 2010 settlement with the FTC. The new FTC filing alleges that Lifelock failed to establish and maintain a comprehensive information security program; falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; and failed to meet the 2010 order’s recordkeeping requirements.
6th Circuit: Accidental Pocket Dials Do Not Demand Privacy Expectation
There is no reasonable expectation of privacy with pocket-dials, at least not in the Sixth Circuit. The court reasoned that, “A person who knowingly operates a device that is capable of inadvertently exposing his conversations to third-party listeners and fails to take simple precautions to prevent such exposure does not have a reasonable expectation of privacy.”
HelloWorld and Microsoft Face TCPA Class Action After Social Media Advertising Campaign
A class action suit, alleging violation of the Telephone Consumer Protection Act (TCPA) and California’s Unfair Competition Law, was filed in federal court against Microsoft Corporation and HelloWorld Inc., the marketing company it employed for social media campaigns. Consumers were allegedly asked to provide their phone number to enter a sweepstakes to win free Microsoft products but not warned that their phone numbers would be used for text advertisements thereafter.
NIST Releases Guide to Securing Electronic Health Records on Mobile Devices
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released a full draft of its cybersecurity practice guide, “Securing Electronic Health Records on Mobile Devices,” and invited organizations to use the publication and provide feedback. The guide is intended to help health care providers combat medical identity theft by securing mobile applications used for the delivery of healthcare.