The big takeaways from The Autonomous Vehicle Safety Regulation World Congress centered on the importance of a federal scheme for AV regulation and the reality of the states’ interest in traditional issues such as traffic enforcement, product liability, and insurance coverage.  In keeping with those messages, the World Congress kicked off with NHTSA Deputy Administrator and Acting Director, Heidi King, speaking about NHTSA’s goals and interest followed almost immediately with wide participation from the states including California, Michigan, and Pennsylvania, among others.

Deputy Administrator King emphasized NHTSA’s desire to foster an environment of collaboration among all stakeholders, including the states.  Ms. King emphasized that safety remains the top priority at NHTSA.  NHTSA has provided some guidance, and looks forward to hearing from stakeholders about the best way to support and encourage growth in autonomous vehicles.  NHTSA wants to provide a flexible frame work to keep the door open for private sector innovation.  It is necessary to build public trust and confidence in the safety of autonomous vehicles, and that can only accomplished by all stakeholders working together.

NHTSA is working on the next version of AV guidance, having already issues its 2.0 version, with an expected release of 3.0 in 2018.  The guidelines will remain voluntary, but NHTSA is ready to support entities as they try to implement the voluntary guidance.  Working with the states, DOT, OEMs, and other stakeholders, NHTSA hopes to continue to be flexible and allow for rapid changes.  Later in the conference lawyers emphasized the importance of compliance with the guidance in minimizing liability particularly in no-fault states such as Michigan.

Dr. Bernard Soriano, deputy director, California Department of Motor Vehicles, similarly confirmed that California’s overarching interest in regulating AV is the safe operation of vehicles on its roadways.  In summarizing California’s recent October 11, 2017 release of revised regulations, he emphasized that “change happens fast,” and that the state is pleased to now be close to allowing completely driverless testing.  He recognized the federal preemption on the design of the vehicle and its crashworthiness and emphasized the state’s interest in the operation of the vehicles and compliance with state traffic laws.
Continue Reading

On July 21, 2017, Governor Chris Christie signed the Personal Information Privacy and Protection Act (S-1913) (the “Act”) into law, further enhancing the protections afforded to consumers who make retail credit card purchases in New Jersey.  As technology has evolved, many retailers rely on electronic barcode scanners to review and capture information on

Earlier this month, the Federal Bureau of Investigation (FBI) issued a public comment about privacy, cybersecurity, and safety risks associated with internet-connected toys.  The FBI’s comment builds on the Federal Trade Commission’s recent amendment to the Children’s Online Privacy Protection Act (COPPA), which explicitly states that connected toys are deemed “websites or online services”

On June 12, Nevada Gov. Brian Sandoval (R) signed into law a bill requiring the operator of an Internet website to disclose the type of information it collects on Nevada residents.  Under the law, any company or person who (1) owns or operates an Internet website or online service for commercial purposes, (2) collects information

Last week, the Federal Trade Commission (“FTC”) announced an agreement settling claims against a television manufacturer arising from the alleged unauthorized collection of television viewing data.  The FTC, along with the State of New Jersey, alleged that certain “smart TVs” manufactured and sold by VIZIO, Inc. and its subsidiary VIZIO Inscape Services (collectively, “VIZIO”) failed

Kansas Judge Rules that Class Action over CareCentrix Data Breach may Proceed

On December 19, 2016, in Hapka v. Carecentrix, the United States District Court for the District of Kansas denied CareCentrix, Inc.’s (CareCentrix) motion to dismiss a class action suit arising from a data breach affecting CareCentrix’s personal and tax information regarding thousands of employees.  The Court found that plaintiff Sarah Hapka, individually and on behalf of all others similarly situated, met the Article III standing requirements and sufficiently alleged a claim upon which relief could be granted.

Hapka claimed that in February 2016, an unauthorized person posed as one of CareCentrix’s employees and emailed a request for current and former employees’ Internal Revenue Service (IRS) Wage and Tax Statements (W-2 Forms). One of CareCentrix’s employees complied with the request, providing the W-2 Forms which included employees’ names, addresses, birth dates, wages, and Social Security Numbers.  Hapka alleged that shortly after this data breach, she received a letter from the IRS indicating that someone filed a fraudulent tax return in her name.  She later brought the underlying putative class action claiming that CareCentrix negligently permitted the data breach and that she and the class of plaintiffs will suffer imminent and certain impending injury of fraud and identity theft.

CareCentrix conceded that Hapka suffered some form of actual, concrete injury due to the filing of a false tax return. However, it argued that the other allegations of injury—the impending costs of countering the current tax fraud and heightened risk for future identify theft—are too speculative to meet the Article III standing bar set by the Supreme Court’s decision in Spokeo, Inc. v. Robins, which required plaintiffs to show an invasion of a legally protected interest and allege a concrete injury.  The Court rejected CareCentrix’s attempt to look at the plaintiff’s alleged injuries in a vacuum, stating that “[t]he fact that her stolen information has been used once has a direct impact on the plausibility of future harm.” Although the Court acknowledged that federal courts have disagreed about whether an alleged increased risk of identity theft is a sufficient injury to meet standing requirements, it followed the line of cases finding standing because the plaintiffs suffered from identity theft after a data breach.  Ultimately, the Court held that the plaintiffs met standing requirements.

The Court further rejected CareCentrix’s claim that Hapka failed to adequately plead the negligence claim because it did not have a statutory duty of care regarding employee information, and that plaintiff failed to allege any common-law duty. The Court found that identification of a statutory duty was unnecessary, and that the allegations that the harm was foreseeable established a common-law duty to exercise reasonable care.

This case further highlights how the Supreme Court’s decision in Spokeo earlier this year has produced varied results in breach litigation.  The Kansas Court acknowledged the split among federal courts on standing requirements, but effectively avoided ruling on the issue since Hapka actually suffered injury due to the filing of a false tax return.  If the plaintiffs did not have this example demonstrating that a concrete injury had in fact occurred, it is questionable whether the Kansas Court would have decided to deny CareCentrix’s dismissal motion on standing grounds.


Continue Reading

On December 15, 2016, in The Travelers Indemnity Co. of Connecticut v. Max Margulis, et al., the U.S.  District Court for the Eastern District of Missouri ruled that an insurer did not have a duty to defend its policyholder in a suit alleging a violation of the Telephone Consumer Protection Act (“TCPA”). Margulis

Discussion headlines: UMass settles alleged HIPAA violations; FCC combatting robotexts and robocalls; TCPA class certification; failed investor suit over data breach; UK surveillance bill became law

UMass pays $650,000 to settle alleged HIPAA violations

The University of Massachusetts Amherst (UMass) reached an agreement to pay $650,000 to settle alleged HIPAA violations based on the disclosure