On July 24, 2023, an en banc Eleventh Circuit joined the majority of circuits to find that just one text is sufficient to establish standing to bring a Telephone Consumer Protection Act (“TCPA”) claim. The decision, Drazen v. Pinto, — F.4th —, 2023 WL 4699939 (11th Cir. July 24, 2023), not only undoes the panel’s original holding, but also reverses course from the Eleventh Circuit’s prior decision in Salcedo v. Hanna, 936 F.3d 1162 (11th Cir. 2019), which held that a Plaintiff who received a single text message did not have TCPA standing.
Continue Reading The First Text Cuts the Deepest: Eleventh Circuit Aligns with Other Circuits on TCPA Standing
A Statute of Limitations for BIPA Claims? We May be One Step Closer
Illinois’ Biometric Information Privacy Act (“BIPA”) regulates companies that obtain, use, store, sell, and disclose the biometric data of Illinois residents. Companies that fall under BIPA must provide notice to and receive consent from Illinois residents before obtaining their biometric data, and must take reasonable care that the biometric data remains secure. In addition, BIPA includes a private right of action, and if a regulated company fails to comply with its provisions, statutory damages can be as high as $5,000 for each violation. BIPA litigation is active in Illinois State Court and in Federal Courts across the United States.
A sticking point for litigants has been the statute of limitations for a party to bring a BIPA claim. BIPA does not include its own statute of limitations. Generally speaking, plaintiffs have argued that a longer limitations period applies, such as the five-year limitations period under section 13-205 of Illinois’ Code of Civil Procedure. And generally speaking, defendants have argued that a shorter limitations period applies, like the one-year period under section 13-201 of the Code of Civil Procedure.Continue Reading A Statute of Limitations for BIPA Claims? We May be One Step Closer
Energy Cybersecurity Act of 2019
Aiming to identify, enhance, and test supply chain vulnerabilities in the energy sector and cybersecurity response capabilities between public and private sectors, the U.S. Senate Committee on Energy & Natural Resources approved legislation that directs the Department of Energy (DoE) to create several new programs towards the development of “advanced cybersecurity applications and technologies” for the sector.[1] The Energy Cybersecurity Act of 2019 (the Act) directs DoE to establish programs that identify supply chain vulnerabilities and expand Federal cooperation and coordination for responses to cyber threats.
If passed, the Act will require the DoE to:Continue Reading Energy Cybersecurity Act of 2019
No Summer Vacation for Government as New Cybersecurity Legislation Passes
The federal government has kept busy this summer by issuing multiple regulations impacting government contractors’ cybersecurity. First, the Department of Defense released the 2019 National Defense Authorization Act (NDAA), which included notable cybersecurity provisions involving foreign ownership and Controlled Unclassified Information (CUI), among others. Second, Congress passed the NIST Small Business Cybersecurity Act requiring the
Political Data Firm Improperly Accessed Facebook Users’ Data
Facebook faces government investigations on both sides of the Atlantic after recent revelations that Cambridge Analytica, a British political data firm with ties to President Trump’s 2016 campaign, collected and used the personal information of more than 50 million Facebook users in a manner that violates Facebook’s stated policy regarding access, disclosure, and use of personal information. Legislators in the U.S. and the UK have called for hearings.
The Federal Trade Commission (“FTC”) has confirmed it is conducting an investigation into whether Facebook violated the terms of its November 2011 consent decree requiring it to, among other things, “not misrepresent . . . the extent to which it maintains the privacy or security of [personal] information,” and “establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of [personal] information.” Several state attorneys general have also announced investigations, and Facebook faces at least one a shareholder lawsuit alleging that Facebook did not properly disclose the third-party access to users’ personal information.
Continue Reading Political Data Firm Improperly Accessed Facebook Users’ Data
Ninth Circuit Revives Data Breach Class Action, Finds Risk of Identity Theft Without Actual Harm Sufficient to Establish Standing
Last week, the U.S. Court of Appeals for the Ninth Circuit revived a class action lawsuit related to a 2012 data breach, determining that the future risk of identity theft suffices to establish Article III standing, even where there has been no actual harm. At issue in the case, In re Zappos.com, was whether
D.C. Circuit: Alleged theft of healthcare subscriber information satisfies Article III harm standard under Spokeo
The U.S. Court of Appeals for the D.C. Circuit has now weighed in on whether plaintiffs can bring a putative class action arising from an alleged data breach in lieu of allegations of actual misuse of compromised data. Emphasizing the “low bar to establish [] standing at the pleading stage,” the D.C. Circuit reversed a
FTC Submits Public Comment to Working Group Tasked with Developing Guidance on IoT Security, Upgradability, and Patching
On June 19, 2017, the Federal Trade Commission (FTC) issued a public comment regarding the National Telecommunications & Information Administration’s (NTIA) draft guidance titled Communicating IoT Device Security Update Capability to Improve Transparency for Customers. In commenting on the guidance, the FTC acknowledged the benefits of and challenges to IoT device security, and encouraged
New Texas Law Explicitly Allows Driverless Cars
On June 15, Texas Gov. Greg Abbott signed a bill that explicitly allows self-driving cars on the state’s roads and highways, regardless of whether a human is physically present. While there was no ban on driverless cars, Texas law did not explicitly permit them either. This created a grey area of the law that fueled
Judge Approves Neiman Marcus Data Breach Settlement
Last week, an Illinois judge preliminarily approved a $1.6 million settlement between Neiman Marcus and a class of customers affected by a 2013 data breach. The settlement, which the parties agreed to in March, covers U.S. residents whose credit card or debit card was used between July 16, 2013 and January 10, 2014 at any