Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector. This digest summarizes the most notable events in privacy and cybersecurity.
FTC Settles 13 Safe Harbor Violations
The FTC charged 13 companies with deceiving consumers about their certification status as part of the Safe Harbor framework, a popular method by which companies can transfer data from Europe to the United States. Companies who have settled with the FTC are subject to a 20-year consent order, which requires the companies to, among other things, keep precise records of the FTC’s overview. For more information key lessons learned from these settlements, read Chris Hoff’s blog on the issue here.
Class Certification Denied in Apple Intercept Litigation
Plaintiffs in a Northern District of California suit against Apple have been denied class certification. Plaintiffs have accused Apple intercepting certain iMessages, because of a bug. The Court found that the proposed class was “unascertainable.” It was too uncertain to tell, the court noted, “whether a third party sender used iMessage, whether it was before or after a proposed class member attempted de-registration, and whether the proposed class member did or did not receive the text message.”
Target and Visa Reach $67 Million Settlement Over Data Breach
In the largest single data breach settlement to-date, Target has agreed to pay Visa $67 million over the 2013 data breach. It is estimated that 110 million Target customers were affected by the breach, which is thought to be among the largest in U.S. history. This settlement signals that card-issuing banks may have an easier time securing settlements over data breaches than consumers.
Ashley Madison Data Released Online
On Tuesday, hackers released the data of 37 million Ashley Madison users. The dating site provided a forum for those interested in “casual encounters, married dating, discreet encounters, and extramarital affairs.” Users, in addition to paying for the service, could pay a $19 fee to have the site permanently delete their profiles, which the site purportedly failed to do. Given the concrete and uniform nature of this injury, the site’s outed-users could make an excellent class of plaintiffs.
Metropolitan Police: Security Vulnerability Accounts for 42% of Vehicle Thefts in London
According to London’s Metropolitan Police, 6,000 vehicles were stolen using a keyless entry hack in London last year. For about $20, hackers are able to purchase a device online that can be plugged into the diagnostic port below the dashboard. This device gleans information from the car, which is then used to reprogram a blank fob and start the vehicle. To access the car initially, thieves typically break a window or use a second device to block the signal of a driver locking the car with a fob.
Court Holds a Warrant is Required for the Government to Obtain Historical Cell Site Location Information
The Northern District of California held that the government was not permitted to obtain historical cell site location information (CSLI) without a warrant. The government argued that it was permitted to access the data under the Stored Communications Act (SCA) and that it, therefore, could obtain CSLI from providers without a warrant. The Court rejected this argument. It held that the SCA did not govern CSLI and, moreover, users had a reasonable expectation of privacy in the data.
Senator Schumer Proposed No Drone Zone Over Airports
Senator Schumer (D-NY) announced plans to introduce legislation to set up no-fly zones for drones, which would include airports and other sensitive areas. The bill would require manufacturers to set up geo-fencing technology in drones, preventing them from entering certain areas even when directed by a human pilot. Senator Schumer intends to introduce the bill as an amendment to a bill extending the authority of the Federal Aviation Administration, which may come as late as 2016.