Data Breach Liability Requires Actual Misuse; More U.S.-EU Data Transfer Uncertainty; Airline App Exempt from State Privacy Law; Pending Cyber Bill Would Create Consortium; Encryption-Related Deceptive Advertising Settlement; PayPal Fined for Deceptive Trade Practices

The Spokeo effect: data breach claims require actual examples of information misuse

Last week, a federal court dismissed claims alleging harm from a hospital data breach, on the grounds that the plaintiff failed to allege more than the mere threat of injury.  In Khan v. Children’s National Health System, No. 8:15-cv-2125 (D. Md.), the plaintiff alleged that phishing attacks compromised hospital employees’ email accounts containing patient information, including social security numbers, addresses, dates of birth, and other private healthcare information.  The court held that the plaintiff lacked standing and could not proceed in federal court because the plaintiff failed to allege either specific instances of misuse from the particular breach at issue or “a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud.”

The court’s reasoning also demonstrates the favorable impact that this month’s Supreme Court decision in Spokeo v. Robbins may have for defendants in data breach actions.  The Khan opinion explained that mere violation of a statute does not necessarily create the “concrete harm,” such as actual misuse of information, required by Spokeo.  Although it remains to be seen what the Ninth Circuit does with Spokeo on remand and how Spokeo will impact future cases, it seems likely that federal courts will continue to be inclined to disfavor claims where the harm alleged is the “diminished value” of personal information, a general loss of privacy, or simply a technical statutory violation.

U.S.-EU Privacy Shield concerns persist, while new concerns about model clauses surface

The actions of two European institutions suggest that disputes over transatlantic data transfers are far from resolved. First, the European Parliament passed a resolution recommending that the EU continue negotiations regarding the EU-U.S. Privacy Shield to address ongoing concerns about potential data access for U.S. government surveillance purposes, sufficient and effective enforcement mechanisms, and bulk data collection.  Second, the Irish Data Protection Authority will refer a case about the sufficiency of data protection afforded by the EU Model Clauses to the European Court of Justice.  For more on each of these developments, see our recent client alert.

Airline’s mobile app exempt from California privacy laws regarding data collection

A California appeals court ruled that California’s law regarding notice to consumers does not apply to an airline’s data-collecting mobile app.  The California attorney general brought suit against Delta Air Lines for violating the California Online Privacy Protection Act by failing to post policies describing the collection practices employed with regard to users’ information transmitted through the app.  The Delta Air Lines mobile app, which does not contain a privacy policy, permits users to buy tickets and stores certain customer information transmitted in connection with those transactions.  Because the Airline Deregulation Act (ADA) prohibits states from enforcing laws “related to a price, route or service of an air carrier,” the court held that the state could not enforce its privacy law and noted that the costs of complying with the California law, and potentially those of other states, would prevent Delta from using its app as a marketing mechanism.  This judicial carve-out from California’s privacy regime is likely limited to industries covered by pre-emptive federal law, and we note that federal authorities are, increasingly, scrutinizing the privacy and data security practices of the entities subject to their jurisdiction.

Pending bill paves path for cross-sector cybersecurity collaboration

The Senate Committee on Homeland Security and Governmental Affairs is now considering legislation passed in mid-May by the House that would permit the Department of Homeland Security to work with a cybersecurity consortium focused on developing and improving preparation for and responses to cybersecurity incidents at the federal, state, and local level. H.R. 4743 would facilitate development of curricula for state and local first responders to cybersecurity breaches, provide technical assistance in building infrastructure for preventing and responding to attacks, and encouraging collaboration and communication among governments and private industry regarding cybersecurity defense and response.  This effort underscores the Hill’s and Administration’s commitment to improving cybersecurity defense and response, and, if enacted.  The legislation provides an opportunity for private industry and infrastructure owners to collaborate with the government on best practices for data breach defense and response.

FTC approves $250,000 data encryption settlement

The Federal Trade Commission entered its final approval of a settlement concerning a marketer’s deceptive and misleading statements about the extent to which its office management software for dental practices would protect patient data to the standards required by HIPAA and HHS.  The FTC complaint alleged that the Utah-based marketer claimed that its product encrypted patient data, yet instead used an algorithm that was “less secure than industry-standard encryption,” did not meet NIST standards, and contrary to the marketer’s representation, wasn’t “capable of helping dentists protect patient data, as required by HIPAA.”  The dental practice agreed to pay $250,000, abstain from misleading customers regarding its encryption capabilities, and notify customers that the software did not satisfy industry standards for encryption.  This fairly routine FTC data security enforcement action illustrates the importance of not only being aware of industry best practices and NIST standards for protecting personal information but also ensuring that actual data protection practices take those standards into account.

Texas fines PayPal for failure to disclose use of consumer information

The state of Texas and PayPal settled claims alleging that PayPal, through its Venmo app, violated the state’s deceptive practices law by failing to clearly disclose how consumer contacts would be used and the extent to which transactions with other consumers would be shared.  The settlement agreement requires PayPal to pay a $175,000 fine and improve the clarity and accuracy of its disclosures regarding the Venmo app, which allows users to pay other users electronically.  The updated disclosures must, among other things, allow consumers to clearly understand which persons or entities may view information about consumers’ transactions. Consistent with enforcement actions by the FTC, FCC, and other federal and state entities, this action demonstrates the continued significance of transparency, notice, and choice, when collecting and using personal information.