Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

Recent IoT Device Cases

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation
Clifford J. ZatzJoe MeadowsLaura AradiPaul Mathis

“There are many ways to surveil each other now, unfortunately,” including “microwaves that turn into cameras, et cetera.  So we know that that is just a fact of modern life.”  Kellyanne Conway, March 12, 2017 Interview with New Jersey’s The Record.

Data from microwaves-turned-cameras has yet to appear in court, but data from other IoT devices has.  And while its appearance has been invaluable in cracking criminal cases or pursuing civil claims or defenses, it also has raised constitutional and privacy issues.

Here we highlight some recent IoT device cases.

  • smart speaker:  In a murder case, the police seized the defendant’s smart speaker on the theory that it may offer evidence of what transpired the night of the murder at the defendant’s home.  A search warrant was then served on the speaker’s manufacturer for the audio recordings that had been uploaded to out-of-state servers.  The manufacturer moved to quash the warrant, contending that it had First Amendment rights to publish and speak through the speaker.  The motion was later mooted when the defendant gave the manufacturer permission to turn over any audio recordings.  See Arkansas v. Bates, No. CR-2016-370 (Cir. Ct. Benton County, Arkansas).
  • search engines:  In censorship and unfair competition cases, plaintiffs brought claims against internet companies arising out of their search results.  The companies moved to dismiss on the grounds that their search results were protected speech under the First Amendment.  Florida and New York federal courts agreed:  the companies’ production and ranking of search results was similar to that of a newspaper exercising protected editorial discretion over what to publish.  It made no difference that the search results arose out of automated computer programming.  See e-ventures Worldwide, LLC v. Google, Inc., No. 14-cv-646 (M.D. Fla. Feb. 8, 2017); Zhang v. Inc., 10 F. Supp. 3d 433 (S.D.N.Y. 2014).
  • fitness wearable:  In another murder case, the victim’s husband told police that he was at home fighting off an intruder when his wife returned from the gym no later than 9 am.  According to the husband, the intruder then shot his wife, tied him up, and ran out of the house.  The police searched the wife’s fitness wearable.  Its data showed that the wife was still moving about the home a distance of 1,217 feet between 9:18 am and 10:05 am.  After additional discoveries of the husband’s extra-marital affair and attempt to cash in on the wife’s life insurance, the husband was charged with murder.  See
  • pacemaker:  In a home arson case, the homeowner told police that he did a number of things as soon as he discovered the fire:  he gathered his belongings, packed them in a suitcase and other bags, broke out the bedroom window with his cane, threw his belongings outside, and rushed out of the house.  The police searched the 59-year old’s pacemaker.  Its data showed that the man’s heart rate barely changed during the fire.  And after a cardiologist testified that it was “highly improbable” that a man in his condition could do the things claimed, the man was charged with arson and insurance fraud.  See
  • biometric devices:  In privacy violation cases, plaintiff consumers have alleged that technology companies have illegally obtained, used, or shared personal “biometric identifiers” – generally, fingerprints, voiceprints, and retinal/facial scans — without consent in violation of privacy laws.  Illinois state and federal courts have sustained some of these claims and approved settlements.  See Rivera v. Google Inc., No. 16-C-02714, 2017 U.S. Dist. LEXIS 27276 (N.D. Ill. Feb. 27, 2017); Sekura v. L.A. Tan Enterprises, No. 2015-CH-16694 (Cir. Ct. Cook County, Illinois);

These IoT device cases – whether in the civil or criminal context — present interesting First and Fourth Amendment issues and privacy rights.  Considering the growth of new IoT devices and their expanding use, identifying and understanding the constitutional issues and privacy rights will continue to gain importance in courtroom disputes.  And on the horizon are similar issues and rights surrounding artificial intelligence and augmented reality devices.

But don’t hold out for an onslaught of microwave-turned-camera cases.

FTC Submits Public Comment to Working Group Tasked with Developing Guidance on IoT Security, Upgradability, and Patching

Posted in Cybersecurity / Data Security, Data Breach, Internet of Things
Jeffrey L. PostonStephanie Reiter

On June 19, 2017, the Federal Trade Commission (FTC) issued a public comment regarding the National Telecommunications & Information Administration’s (NTIA) draft guidance titled Communicating IoT Device Security Update Capability to Improve Transparency for Customers.  In commenting on the guidance, the FTC acknowledged the benefits of and challenges to IoT device security, and encouraged manufacturers to take reasonable measures to secure devices and inform consumers about its security features.

The FTC also recommended three specific modifications to the working group’s proposed “Elements of Updatability.” First, including additional “key elements” that manufacturers should disclose prior to sale:

  • Whether and how the device can receive upgrades;
  • The date on which security support begins;
  • Guaranteed minimum security support period; and
  • Whether a “smart” device will become highly vulnerable or lose functionality after support ends.

Second, offering “additional elements” to consumers before or after purchase:

  • Uniform method for notifying consumers of available updates;
  • Method to sign up for support notifications, separate from marketing communications; and
  • Real-time notifications when security support is about to end.

Third, removing an “additional element” that described the process by which the manufacturer provides updates, as the technical details likely will not benefit the customer.

While the FTC’s comments are not binding, the FTC’s suggestions reflect lessons learned from its prior enforcement actions, policy initiatives, and consumer and business education.  As a result, IoT device manufacturers should consider implementing the FTC’s proposed practices, regardless of whether NTIA incorporates the FTC’s recommendations into the finalized guidance document.

New Texas Law Explicitly Allows Driverless Cars

Posted in Cybersecurity / Data Security
Jeffrey L. PostonBrandon C. Ge

On June 15, Texas Gov. Greg Abbott signed a bill that explicitly allows self-driving cars on the state’s roads and highways, regardless of whether a human is physically present. While there was no ban on driverless cars, Texas law did not explicitly permit them either. This created a grey area of the law that fueled apprehension among manufacturers about testing self-driving cars in Texas.

Senate Bill 2205 allows driverless vehicles to operate in the state as long as the vehicle is:

  • Capable of operating in compliance with state traffic and motor vehicle laws;
  • Equipped with a recording device;
  • Equipped with an automated driving system that complies with applicable federal law and federal motor vehicle safety standards;
  • Registered and titled in accordance with Texas law; and
  • Covered by motor vehicle liability coverage or self-insurance.

With the new law, Texas joins a growing list of states that officially permit driverless cars on public roads, setting up the stage for the eventual rollout of autonomous vehicles to consumers. But while the technology has remarkable potential, it also raises significant privacy and security concerns. Autonomous vehicles are data-gathering machines and may log historic and real-time geolocation data, which will likely be highly coveted for its ability to reflect individuals’ lifestyles and purchasing habits. Cybersecurity is another major issue – for example, how will collected data be stored or transmitted? In addition, vulnerabilities may allow hackers to hijack and steal self-driving cars or interfere with their safety.

Judge Approves Neiman Marcus Data Breach Settlement

Posted in Cybersecurity / Data Security, Data Breach
Jeffrey L. PostonBrandon C. Ge

Last week, an Illinois judge preliminarily approved a $1.6 million settlement between Neiman Marcus and a class of customers affected by a 2013 data breach. The settlement, which the parties agreed to in March, covers U.S. residents whose credit card or debit card was used between July 16, 2013 and January 10, 2014 at any Neiman Marcus store. Any such customers who file a claim will receive up to $100, with the four class representatives receiving $2,500 each. The settlement does not require Neiman Marcus to take any specific security-related measures.

The 2013 data breach, which was the result of malware installed in Neiman Marcus’s computer system, potentially exposed approximately 370,385 cards. Approximately 9,200 of these were later used fraudulently. The suit was filed in March 2014 and was initially dismissed for a lack of standing in September 2014. The Seventh Circuit later revived the case, finding that any costs for fraud prevention such as credit monitoring were sufficient to establish standing.

Nevada Enacts Internet Privacy Regulation

Posted in Internet of Things, Privacy
Jeffrey L. PostonLeigh Colihan

On June 12, Nevada Gov. Brian Sandoval (R) signed into law a bill requiring the operator of an Internet website to disclose the type of information it collects on Nevada residents.  Under the law, any company or person who (1) owns or operates an Internet website or online service for commercial purposes, (2) collects information about individuals residing within Nevada, and (3) maintains minimum contacts with Nevada must make available a notice listing the personally identifiable information the operator is collecting on consumers.  The operator must also disclose whether it allows third-party access to the personal information and must notify the consumer of any process to review and request changes to any of his or her covered information.  If not in compliance, the operator has 30 days to remedy a failure to comply or face a civil penalty imposed by the state attorney general.

Other states have submitted similar legislation to enhance Internet privacy laws following President Trump’s repeal of the Federal Communications Commission’s broadband privacy rules.  For example, Illinois’s “Right to Know” bill passed the Senate and now is pending before the House before it can be brought to a vote.  The Illinois bill requires websites to notify consumers about what data the companies collect and to whom they sell the data.  As more states propose and pass their own regulations, compliance for companies could become challenging if the requirements vary, mirroring the oft-cited “patchwork” of state data breach notification laws.

Data Breach Class Action Dismissed for Not Establishing Economic Injury

Posted in Data Breach, Litigation
Jeffrey L. PostonBrandon C. Ge

Earlier this week, a federal Illinois court dismissed a class action against book retailer Barnes & Noble that alleged breach of contract, invasion of privacy, and violations of state consumer fraud and breach reporting laws. The case, dismissed for failing to establish economic harm, marks another data point in demarcating actionable data breaches and highlights perhaps the most challenging issue for plaintiffs in data breach class actions.

The complaint stemmed from a data breach that Barnes & Noble suffered in 2012 where hackers tampered with PIN pad terminals in 63 Barnes & Noble stores across nine states, compromising customers’ credit card and debit card information. The Court previously ruled that the plaintiffs had to allege economic or out-of-pocket damages caused by the data breach in order to state a claim.

The U.S. District Court for the Northern District of Illinois ruled that the plaintiffs’ alleged injuries to the value of their personally identifiable information, time spent with bank and police employees, and emotional distress were insufficient to state a claim. Similarly, although the plaintiffs alleged a temporary inability to use their bank accounts, they failed to demonstrate how this inconvenience caused any monetary injury. The plaintiffs’ lost cell phone minutes in speaking to bank employees and purchases of credit monitoring were also deemed insufficient to state a claim.

Supreme Court to Hear Major Cellphone Privacy Case

Posted in Admissibility, Litigation, Privacy
Jeffrey L. PostonBrandon C. Ge

Yesterday, the Supreme Court announced that it will hear a case with significant ramifications for privacy in the digital age. The case involves a man convicted of armed robbery based in part on cellphone location data obtained without a probable cause warrant. The conviction was appealed at the Sixth Circuit Court of Appeals, which held that the Fourth Amendment does not require a warrant under such circumstances.

While the Supreme Court has recently restricted the search of cellphone contents and the use of GPS devices by law enforcement, it ruled in 1979 that a robbery suspect had no reasonable expectation of privacy in numbers dialed from his phone because the suspect had voluntarily turned this information to the phone company. Relying on this “third-party doctrine,” federal appeals courts have generally agreed that the Fourth Amendment does not protect cellphone location data because customers routinely provide this data to cellphone companies.

Cellphone carriers can track individuals’ approximate locations based on which signal towers the cellphone can reach, and law enforcement officials frequently obtain such information to assist in investigations. This case, likely to be heard in the fall, gives the Supreme Court an opportunity in the digital age to clarify privacy rights in such records.

The PRC Cybersecurity Law Takes Effect

Posted in Cybersecurity / Data Security, Government Regulations & FISMA
Jeffrey L. PostonPaul RosenBrandon C. Ge

The first comprehensive data protection framework in China’s history, the PRC Cybersecurity Law, takes effect today, June 1, 2017, despite concerns from businesses around the world about the law’s stringency and scope. The law will carry with it the authority to impose fines up to approximately $145,000.00 per violation in addition to various administrative and criminal penalties.

The PRC Cybersecurity Law requires the implementation of administrative and technical security safeguards, restricts the cross-border transfer of personal information and “important data” collected through operations in China, and mandates the protection of personal information.

While much of the law remains murky, the PRC Cybersecurity Law will likely impact companies of all sizes that do business in China, including those that do not have a physical presence there. Companies should carefully review their practices to determine how the new requirements – particularly those relating to data localization and the PRC’s potential access to that data – impact their operations in China.

Click here to read Crowell & Moring’s full alert on the PRC Cybersecurity Law.

Gunning For An Anonymous Internet Defamer or Infringer’s Identity …

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation
Joe Meadows

… outside your main jurisdiction can have collateral consequences.

In Gunning v. Doe, 2017 WL 1739442 (Me. May 4, 2017), Maine’s highest court just dodged the issue of the applicable First Amendment test for the disclosure of an anonymous speaker accused of defamation.  Instead, it deferred to California’s test.  Why?  Collateral estoppel:  the defamation plaintiff lost her effort to subpoena a California website host for identifying information of the John Doe defendant, and that decision barred the plaintiff from relitigating the disclosure issue in Maine.  Continue Reading

Can You Copyright Infringe Anonymously?

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation
Joe Meadows

Yesterday, the Sixth Circuit heard an anonymous copyright infringement case of first impression. See Signature Management Team, LLC v. Doe, No. 16-2188 (6th Cir.). The issue: whether an adjudicated copyright infringer can remain anonymous.

The infringer said he can.

“John Doe” appeared in the case through counsel and defended against Signature’s infringement claim. He lost. But he maintained his right to anonymity under the First Amendment. According to Doe, a court should balance a defendant’s right to remain anonymous against a plaintiff’s need for the defendant’s identity at all stages of litigation, including post-judgment. And here, as the lower court held, Signature prevailed but it didn’t need Doe’s identity where no damages were sought and Doe agreed to cease the infringement. Continue Reading