Categories & Search

Category: Litigation

Digital Divide Deepens: Tech Community Backs Second Circuit in Clash with Magistrates over Reach of U.S. Warrants

The technology community took aim at a recent federal magistrate’s ruling that ordered Google Inc. to comply with search warrants seeking customer emails stored on servers abroad, calling the decision “an impermissible extraterritorial application of U.S. law.” In rejecting a recent federal appeals court decision in a similar case in favor of Microsoft Corp., U.S. Magistrate Thomas J. Reuter in Philadelphia ruled that transferring emails from a foreign server to the U.S. was not tantamount to a seizure beyond American borders. The technology companies urged the court to reject the “fiction that such a foreign search and seizure is a domestic act….”

Go

Privilege Waiver: Is Your File-Sharing Site a Public Park Bench?

While courts and the Federal Rules of Evidence take an increasingly pragmatic approach to the question of when inadvertent disclosure of privileged information results in waiver, a recent federal magistrate’s ruling serves as a potent warning that use of a file-sharing site – without sufficient safeguards – may constitute a waiver. Harleysville Insurance Co. v. Holding Funeral Home, Inc., No. 1:15-cv-00057 (W.D. Va. Feb. 9, 2017) is the first published decision to find that the use of a file-sharing site to exchange potentially privileged information constituted a waiver of the attorney-client privilege and work product protection—because the company failed to password protect its transmission.

Go

Does Facebook Have the Right to Challenge Search Warrants Seeking Facebook Users’ Data? New York’s Highest Court Hears Argument

Facebook is the latest social media giant to push back on law enforcement efforts to seek user information.  On Tuesday, the New York Court of Appeals heard oral argument in a case focusing on whether Facebook has the right—or legal standing—to challenge bulk search warrants issued by the Manhattan District Attorney’s office for its users' data.  The case is In re 381 Search Warrants Directed to Facebook, Inc. and Dated July 23, 2013.

Go

Third Circuit Finds FCRA Violation Alone Confers Standing for Data Breach Suit

The United States Court of Appeals for the Third Circuit recently ruled that a data breach class action may proceed on the basis of a Fair Credit Reporting Act (FCRA) violation alone, even where the putative class members do not allege that they were actually harmed by the breach.  The ruling, which both relies on and distinguishes the Supreme Court’s recent analysis of FCRA standing in Spokeo v. Robins, suggests that at least in the Third Circuit, “injury” from a data breach may be presumed from the fact of the breach itself.  This, in turn, could have the effect of expanding potential liability for any consumer-facing entity that suffers a breach.

Go

Second Circuit Court of Appeals Denies Rehearing in Microsoft Case

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland.  That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.

Go

Keeping Section 5 Alive: The FTC Brings Suit Against D-Link

The U.S. Federal Trade Commission (“FTC”) has filed suit against Taiwan-based D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”), manufacturers and sellers of home networking devices including routers, cameras, baby monitors, and video recorders.  The lawsuit claims that D-Link failed to take reasonable steps to protect its devices from known and foreseeable risks of unauthorized access.

Go

LabMD’s 11th Circuit FTC Appeal: The Opening Shot

Firing the opening salvo in its appeal of one of the most controversial data security decisions by the U.S. Federal Trade Commission in years, LabMD accused the agency of overstepping its authority and “destroy[ing] [the] small medical testing company” in the process.

Go

“Life is Short. Have an Affair.” And Then Settle With the FTC.

Yesterday, the Federal Trade Commission (“FTC”) announced a settlement with the owners of “dating site” AshleyMadison.com, arising from a July 2015 data breach that received broad media coverage.  According to a proposed order filed in the District Court for the District of Columbia, the operators of the website are also simultaneously settling with thirteen states—including New York—and the District of Columbia.

Go

Wake-Up Call: Law Firms in the Cybersecurity Crosshairs

Last week marked the first time a U.S. law firm was publicly named in a class action data security lawsuit.  Originally filed in April 2016, the class action complaint in Shore v. Johnson & Bell, Ltd., 16-cv-4363 (N.D. Ill.), was unsealed last week after months of back-and-forth over whether the alleged security flaws had been patched.  The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of “systematically exposing confidential client information and storing client data without adequate security.”  The lawsuit makes no claim that any client information has been stolen or misused.  Even so, the filing of this complaint amplifies the risks already facing law firms – including reputational – at a time when data security is a top concern for law firms and their clients.

Go

Hints of a Narrowing of the FTC’s Section 5 Authority Under a Trump Presidency

The transition of power from President Barack Obama to President-Elect Donald Trump is underway.  Although President-Elect Trump did not lay out specific policy prescriptions about data privacy or consumer protection during his candidacy, his recent choice of Dr. Joshua D. Wright to lead transition efforts at the Federal Trade Commission provides some hints as to the direction the agency may take under a Trump administration.

Go

When Using a Computer Becomes a Crime, Part Two: ACLU, Facebook Weigh In on Ninth Circuit’s Answer

The Electronic Frontier Foundation (“EFF”) and the American Civil Liberties Union (“ACLU”) have weighed in on Facebook’s high-profile dispute with a social media aggregation company over whether it had unlawfully accessed Facebook’s computers.  The EFF and ACLU warned the Ninth Circuit that the panel’s ruling for Facebook risks chilling important investigations and makes “potential criminals out of millions of ordinary Americans on the basis of innocuous online behavior.”  The case is Facebook, Inc. v. Power Ventures, Inc., No. 13-17102. 

Go

LabMD Scores Early Win in FTC Appeal

The fight between the Federal Trade Commission and LabMD, the defunct medical testing lab, entered a new chapter late yesterday.  In a 13-page ruling, the U.S. Court of Appeals for the Eleventh Circuit said that LabMD’s appeal presented “a serious legal question” as to the Commission’s interpretation of Section 5 of the FTC Act and that any enforcement of the agency’s order should be stayed until the appellate process had run its course.

Go

Galaria v. Nationwide: Data Breach Plaintiffs Standing Strong in the Sixth

This week, in the first post-Spokeo circuit court decision to address standing in a data breach class action, the Sixth Circuit joined the Seventh Circuit in holding that plaintiffs whose sensitive personal information has been obtained by hackers have Article III standing to sue based on the risk of future fraud and identity theft.

Go

Banner Health Suits Raise Significant Questions for Data Breach Class Actions

Banner Health recently announced that hackers may have gained “unauthorized access to patient information” and “payment card data” from approximately 3.7 million patients, health plan members, food and beverage customers, and physicians.  The breach has been reported as the largest for a hospital in 2016. 

Go

Post-Spokeo Standing: An Evolving Landscape

Several recent federal court decisions have added guidance on the still-unsettled question of when a plaintiff has Article III standing to sue based on a data breach or other data security or privacy event.  These cases—Attias v. CareFirst, Inc. (D.D.C.), Wood v. J. Choo USA, Inc. (S.D. Fla.), and Guarisma v. Microsoft (S.D. Fla.)—offer somewhat mixed guidance for defendants in class action privacy-related lawsuits looking to use a standing challenge as a quick escape.

Go

When Is Using a Computer a Crime? Rehearing Sought on Ninth Circuit’s “Distressingly Unclear” Answer

Facebook recently won a landmark victory in the Ninth Circuit against a company that accessed Facebook’s computers to help users manage their social network accounts.  Now the company, Power Ventures, Inc., says that the Ninth Circuit’s decision risks creating “widespread confusion” about when it is a crime to use a computer to access a website.

Go

FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data

In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.

Go

Target Corp. Shareholders Walk Away from Derivative Lawsuits

The leadership team at Target Corp. has one less legal claim to worry about today from the company’s headline-making 2013 data breach.  And in an unusual twist, the shareholders who filed a series of derivative actions against Target’s directors and officers have waived the symbolic “white flag” by agreeing that the cases could be dropped so long as they were able to come back to Court to recover their legal fees.

Go

FTC Delays Ruling in LabMD Appeal

The Federal Trade Commission has decided to put off until late July a decision about whether to overturn a ruling by the agency’s chief administrative law judge in the closely watched data security action against LabMD, the Atlanta-based medical detection firm.  In a one-paragraph order issued late yesterday, the Commission extended the deadline for decision until July 28th “in order to give full consideration to the issues presented by the appeal in this proceeding.”

Go

SEC Chair Warns: Cyber Biggest Threat to Global Financial System

The chair of the U.S. Securities and Exchange Commission warned that cybersecurity is the biggest risk facing our financial system today.  At an industry conference yesterday, SEC Chair Mary Jo White said that major exchanges, clearing houses and other players in the financial system did not have cyber defenses in place that aligned with the risks they faced.

Go

The Supreme Court Sends Spokeo Back

Today, the U.S. Supreme Court decided one of the Term’s most closely watched cases: Spokeo, Inc. v. Robins.  The 6-2 decision, while far from sweeping, creates a hurdle for plaintiffs in “no-injury” class actions.  

Go

LabMD’s Waiting Game: Lingering Questions over FTC’s Authority in Data Security Matters

A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek.  Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.

Go

Federal Appeals Court Set to Issue One of the Most Important Privacy Rulings in a Generation

For months, the technology and business communities have been waiting anxiously for a Federal appeals court ruling on whether American companies can be forced to turn over customer information to U.S. law enforcement when that information is stored on servers abroad.  It’s the result of a legal appeal filed last year by Microsoft Corporation that was argued before the U.S. Court of Appeals for the Second Circuit more than seven months ago.

Go

Seventh Circuit (Again) Finds Consumers Have Standing To Sue Over Data Breaches

Yesterday, the Seventh Circuit held in Lewart v. P.F. Chang’s that customers who may have had personal information compromised in a P.F. Chang’s data breach have standing, at the motion-to-dismiss stage, to sue the company.  Given the Seventh Circuit’s 2015 opinion in Remijas v. Neiman Marcus, which involved similar facts, the decision in Lewart is not particularly surprising.  

Go

Traditional General Liability Policy Covers Medical Records Mishap

A U.S. appeals court yesterday held that a traditional corporate general liability policy triggered an insurer’s duty to defend a class action lawsuit alleging that a medical records company failed to properly secure patient records on its server.

Go

On the Front Lines of Cybersecurity: The Corporate Challenge

Recent surveys tell us that cybersecurity is the top risk faced by corporate America.  The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern.  And their general counsel agree.  In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.

Go

Are You Adequately Protected by Your Cybersecurity Insurance? The Sky is the Sub-Limit

For businesses and nonprofit organizations searching for cyber insurance, it is important to know if your coverage limits are adequate.  Whether you are in the market for a new policy or renewing an existing one, you should explore whether your policy has a “sub-limit” that places limitations on your losses and liabilities that may be covered.

Go

FTC Reviews Case Over Legal Standard For Data Security Enforcement Action

Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision.  The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.

Go

U.S. v. Microsoft - What you need to know about one of the most important privacy cases of the decade

The U.S. Court of Appeals for the Second Circuit has in its hands one of the most closely-watched privacy cases in recent memory. U.S. v. Microsoft addresses an issue of critical importance to U.S. businesses — whether companies must comply with orders from the U.S. government to turn over electronic data, even when that data is stored on a server outside of the U.S. A ruling is expected any day. 

Go

Litigation Watch: Can a Third-Party Vendor Be Left Holding the Bag After a Breach?

Many organizations, particularly those outside of the technology sector, rely heavily on third-parties—including cyber security specialists, lawyers, and public relations firms—to help pick up the pieces after a data breach.  But what happens when a third-party vendor doesn’t fix the problem?

Go

The Privilege of PR: Application of the Attorney-Client Privilege to Crisis Communications and Public Relations in Breach Response Planning

Cyber-attacks have become a matter of everyday reality for all businesses: regardless of industry or size, it is no longer if a data breach will happen, but when.  And waiting for a breach to occur before designing and implementing a cyber incidence response plan is generally a recipe for disaster.  

Go

FTC Appeals ALJ Ruling Dismissing Its Claims Against LabMD

The legal wrangling between the Federal Trade Commission and LabMD, Inc. over data security continues.

On December 22, 2015, the FTC filed its appeal brief challenging Chief Administrative Law Judge (“ALJ”) D. Michael Chappell’s November 13, 2015 decision (the “Initial Decision”) dismissing the FTC’s complaint against LabMD, a now-defunct clinical testing laboratory alleged to have compromised the personal information of its customers.  The appeal, which will be presented to the full Commission, was expected, as the FTC previously filed a Notice of Appeal shortly before Thanksgiving.

Go

Long and Wyndham Road: The Federal Trade Commission Extends Section 5 Unfairness to Regulate Data Security

In a surprising development, Wyndham Worldwide Corporation settled a long running dispute last week with the Federal Trade Commission that arose from three data breaches Wyndham suffered between 2008-2010.  After an investigation that required Wyndham to produce more than one million pages of information, the FTC filed suit against Wyndham in the District Court of New Jersey under, among other legal basis, the unfairness prong of Section 5 of the FTC Act.  

Go

Re-Thinking “Substantial Injury”: The FTC’s Potential New Need for Victims

Last month, the Federal Trade Commission’s Chief Administrative Law Judge dismissed the Commission’s long-running data security case against LabMD because it failed to prove that there was an actual or reasonably imminent threat of injury to consumers.  In the matter of LabMD, Dkt. No. 9357, Initial Decision (Nov. 13, 2015).  The issue of consumer “injury” has loomed large in the world of data privacy litigation since private plaintiffs began bringing class action lawsuits arising from data breaches.  Whether those cases are brought by individuals in their own name or on behalf of a putative class, courts have struggled with the question of what constitutes injury sufficient to successfully prosecute a claim. 

Go

Target Settles With Credit Card Issuers

Today, Target and a class of banks that issued credit cards that were compromised in the Target data breach announced they have reached a $39.4 million settlement.

Go

FTC Blasted in LabMD Data Security Case

In a long-running and highly contentious data security enforcement action against LabMD, a small medical testing laboratory, the Federal Trade Commission was handed a stunning defeat late Friday.  In a 92-page Initial Decision, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s case against LabMD – after a full administrative trial – based on the Commission’s failure to prove it was “likely” that consumers had been substantially injured in two alleged data security incidents dating back nearly seven years.

Go

Supreme Court Hears Oral Argument In Spokeo

Last Monday, the Supreme Court heard argument in Spokeo, Inc. v. Robins, one of this Term’s closest-watched cases, especially in the data-privacy field.  While attempting to “read the tea leaves” from oral argument can be treacherous, the justices’ questions offered a fascinating window into their thinking.

Go

Employees and “Authorized Access”: A Threat from Within?

Workplace privacy has become an increasingly challenging issue for employees and employers alike.  With technological advancements, employers have enhanced visibility into employee behavior including their use of company resources such as the Internet.  The same advancements have also afforded employees with unprecedented access to a company’s confidential and proprietary information.

Go