Categories & Search

Industry: Technology

Digital Divide Deepens: Tech Community Backs Second Circuit in Clash with Magistrates over Reach of U.S. Warrants

The technology community took aim at a recent federal magistrate’s ruling that ordered Google Inc. to comply with search warrants seeking customer emails stored on servers abroad, calling the decision “an impermissible extraterritorial application of U.S. law.” In rejecting a recent federal appeals court decision in a similar case in favor of Microsoft Corp., U.S. Magistrate Thomas J. Reuter in Philadelphia ruled that transferring emails from a foreign server to the U.S. was not tantamount to a seizure beyond American borders. The technology companies urged the court to reject the “fiction that such a foreign search and seizure is a domestic act….”

Go

Does Facebook Have the Right to Challenge Search Warrants Seeking Facebook Users’ Data? New York’s Highest Court Hears Argument

Facebook is the latest social media giant to push back on law enforcement efforts to seek user information.  On Tuesday, the New York Court of Appeals heard oral argument in a case focusing on whether Facebook has the right—or legal standing—to challenge bulk search warrants issued by the Manhattan District Attorney’s office for its users' data.  The case is In re 381 Search Warrants Directed to Facebook, Inc. and Dated July 23, 2013.

Go

Ajit Pai and the FCC’s Role in ISP Privacy Regulation under President Trump

On January 23, 2017, President Donald Trump named Ajit Pai as Chairman of the Federal Communications Commission (FCC).  In his previous role as the senior Republican on the FCC under President Barack Obama, Mr. Pai was an outspoken critic of the agency’s decision to assert jurisdiction over Internet Service Providers (“ISPs”) and its rules governing broadband privacy.  Pai’s appointment suggests that significant changes may be on the horizon.

Go

Second Circuit Court of Appeals Denies Rehearing in Microsoft Case

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland.  That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.

Go

Uber Riders: Choosing Convenience or Privacy

What Consumers Should Know About Uber’s New Location Settings

In a recent update to its widely used application, Uber has implemented a change in location settings that some users are not happy about.  Before the update, users could limit Uber’s ability to track their location to “only while using app.”  But the new update strips users of that option. 

Go

Hints of a Narrowing of the FTC’s Section 5 Authority Under a Trump Presidency

The transition of power from President Barack Obama to President-Elect Donald Trump is underway.  Although President-Elect Trump did not lay out specific policy prescriptions about data privacy or consumer protection during his candidacy, his recent choice of Dr. Joshua D. Wright to lead transition efforts at the Federal Trade Commission provides some hints as to the direction the agency may take under a Trump administration.

Go

When Using a Computer Becomes a Crime, Part Two: ACLU, Facebook Weigh In on Ninth Circuit’s Answer

The Electronic Frontier Foundation (“EFF”) and the American Civil Liberties Union (“ACLU”) have weighed in on Facebook’s high-profile dispute with a social media aggregation company over whether it had unlawfully accessed Facebook’s computers.  The EFF and ACLU warned the Ninth Circuit that the panel’s ruling for Facebook risks chilling important investigations and makes “potential criminals out of millions of ordinary Americans on the basis of innocuous online behavior.”  The case is Facebook, Inc. v. Power Ventures, Inc., No. 13-17102. 

Go

Cybersecurity Advice from President Obama

We’re writing this week to highlight some of the ways in which President Obama’s evolving views on cybersecurity can help guide corporate governance on this increasingly important subject.  In an interview with Wired Magazine, the President admitted that he is rethinking his own view on cybercrime: comparing it to a “pandemic” no longer addressed by traditional means such as the latest and greatest defensive technologies

Go

When Is Using a Computer a Crime? Rehearing Sought on Ninth Circuit’s “Distressingly Unclear” Answer

Facebook recently won a landmark victory in the Ninth Circuit against a company that accessed Facebook’s computers to help users manage their social network accounts.  Now the company, Power Ventures, Inc., says that the Ninth Circuit’s decision risks creating “widespread confusion” about when it is a crime to use a computer to access a website.

Go

Pokémon GO Exposes Risks of Bring-Your-Own-Device (BYOD) Policies

There’s no denying it: Pokémon GO is a phenomenon. 

The smartphone game, in which players use their mobile device camera and GPS to capture, battle, and train virtual creatures, was released in the United States on July 6th.  In a month, it has shot to the top of the App Store charts to become the biggest mobile game in U.S. history.  Within just days of its release, Pokémon GO already had surpassed app giants like Twitter and Tinder in number of downloads and active users, with more than 25 million users playing each day.

Go

FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data

In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.

Go

Lessons from LinkedIn: Privacy and Data Security Representations in the M&A Context

Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements.  Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations.  The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.

Go

US Regulators Investigate Chinese Steelmakers for Hacking Trade Secrets

The U.S. International Trade Commission (“ITC”) last week launched an investigation into United States Steel Corporation’s (“U.S. Steel”) complaint that Chinese hackers stole trade secret information—including proprietary methods for making lightweight steel—on behalf of Chinese steel producers.

Go

European Parliament: Proposed Privacy Shield Must Be Strengthened

We have previously written about the ongoing debate regarding the proposed EU-U.S. Privacy Shield.  The European Parliament has now added its voice to those who say that the current proposal is inadequate.

Go

What’s Next for the EU-U.S. Privacy Shield?

With European regulators continuing to debate the current proposal for the EU-U.S. Privacy Shield, the fate of the new trans-Atlantic data framework is becoming murkier by the day.  Rapprochement may still be a possibility, but over the past week, we have seen parties on both sides preparing for an extended fight.  The Privacy Shield is one of the most significant issues in global cybersecurity today.

Go

LabMD’s Waiting Game: Lingering Questions over FTC’s Authority in Data Security Matters

A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek.  Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.

Go

Federal Appeals Court Set to Issue One of the Most Important Privacy Rulings in a Generation

For months, the technology and business communities have been waiting anxiously for a Federal appeals court ruling on whether American companies can be forced to turn over customer information to U.S. law enforcement when that information is stored on servers abroad.  It’s the result of a legal appeal filed last year by Microsoft Corporation that was argued before the U.S. Court of Appeals for the Second Circuit more than seven months ago.

Go

EU Regulators Decline to Support Privacy Shield Agreement

In the latest twist in the ongoing saga of the EU-U.S. Privacy Shield data transfer agreement, EU data protection authorities (commonly known as the Article 29 Working Party) stated on Wednesday that it would not affirm the adequacy of the Privacy Shield deal.

Go

Traditional General Liability Policy Covers Medical Records Mishap

A U.S. appeals court yesterday held that a traditional corporate general liability policy triggered an insurer’s duty to defend a class action lawsuit alleging that a medical records company failed to properly secure patient records on its server.

Go

Lessons from the Bangladesh Central Bank Heist

By now, you’ve probably heard about the massive cyber attack that hit Bangladesh’s central bank last month, resulting in the loss of $81 million through fraudulent transfers to accounts in the Philippines.  Although the size and scale of this cyber heist was unprecedented, cybercrime targeting ACH (Automated Clearing House) financial transactions is nothing new.  Financially motivated hackers regularly target ACH systems.

Go

On the Front Lines of Cybersecurity: The Corporate Challenge

Recent surveys tell us that cybersecurity is the top risk faced by corporate America.  The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern.  And their general counsel agree.  In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.

Go

FTC Reviews Case Over Legal Standard For Data Security Enforcement Action

Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision.  The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.

Go

U.S. v. Microsoft - What you need to know about one of the most important privacy cases of the decade

The U.S. Court of Appeals for the Second Circuit has in its hands one of the most closely-watched privacy cases in recent memory. U.S. v. Microsoft addresses an issue of critical importance to U.S. businesses — whether companies must comply with orders from the U.S. government to turn over electronic data, even when that data is stored on a server outside of the U.S. A ruling is expected any day. 

Go

EU Commission and United States Agree on New “Privacy Shield” for Trans-Atlantic Data Flow

U.S. and European Commission officials announced on Tuesday that they have reached an agreement in principle on a new EU-U.S. Privacy Shield to permit the flow of data between Europe and the United States.  The new deal follows on the heels of reports Monday evening that U.S. and European officials were continuing to negotiate a replacement for the now-defunct Safe Harbor Framework, after officials failed to reach an agreement by the January 31st deadline.

Go

U.S. and European Officials Fail to Reach Agreement for New Data Transfer Deal

American and European officials failed to meet the January 31st deadline for a new agreement on the transfer of data between the United States and Europe, disappointing hopes that the two sides would broker a deal to replace the now-invalidated U.S.-EU Safe Harbor Framework.

Go

“Interoperable” Healthcare Data Will Be a Tempting Target

At a panel during last week’s Consumer Electronics Show in Las Vegas, Edith Ramirez, chair of the Federal Trade Commission – America’s top privacy regulator – said she would not wear a Fitbit personal fitness tracker.  “I don’t want my sensitive health information being shared,” she explained.  And as it happens, Fitbit suffered a hack the same week.  Meanwhile, U.S. healthcare regulators have recently been promoting policies that promise to aggregate and render more accessible the health data of millions – whether that data comes from consumers using personal health devices like Fitbit or patient visits to doctors or hospitals. 

Go

The Privilege of PR: Application of the Attorney-Client Privilege to Crisis Communications and Public Relations in Breach Response Planning

Cyber-attacks have become a matter of everyday reality for all businesses: regardless of industry or size, it is no longer if a data breach will happen, but when.  And waiting for a breach to occur before designing and implementing a cyber incidence response plan is generally a recipe for disaster.  

Go

FTC Appeals ALJ Ruling Dismissing Its Claims Against LabMD

The legal wrangling between the Federal Trade Commission and LabMD, Inc. over data security continues.

On December 22, 2015, the FTC filed its appeal brief challenging Chief Administrative Law Judge (“ALJ”) D. Michael Chappell’s November 13, 2015 decision (the “Initial Decision”) dismissing the FTC’s complaint against LabMD, a now-defunct clinical testing laboratory alleged to have compromised the personal information of its customers.  The appeal, which will be presented to the full Commission, was expected, as the FTC previously filed a Notice of Appeal shortly before Thanksgiving.

Go

FTC Blasted in LabMD Data Security Case

In a long-running and highly contentious data security enforcement action against LabMD, a small medical testing laboratory, the Federal Trade Commission was handed a stunning defeat late Friday.  In a 92-page Initial Decision, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s case against LabMD – after a full administrative trial – based on the Commission’s failure to prove it was “likely” that consumers had been substantially injured in two alleged data security incidents dating back nearly seven years.

Go

Should Smartphone Manufacturers Be Legally Compelled to Unlock Users’ Devices?

Picture this:  A criminal defendant is indicted for three counts related to the possession of methamphetamine, and federal prosecutors obtain a warrant for the defendant’s iPhone.  But the iPhone is passcode protected, and the prosecutors can’t break the code.  During their investigation, the prosecutors learn that someone has sent a command to the target phone that will cause the iPhone’s contents to be erased if the device is connected to a network and powered on.  The prosecutors approach Apple and request that Apple unlock the iPhone so that they can execute their warrant.  Must Apple comply with this request?

Go

Safe Harbor Framework For Data Transfers Between U.S. and EU Invalidated

Earlier today, the Court of Justice of the European Union (CJEU) issued a decision in Maximillian Schrems v Data Protection Commissioner, declaring invalid the EU-U.S. Safe Harbor framework that provided a mechanism for businesses to transfer personal data of European citizens to the United States. 

Go

Data Security and The Internet of Things

The Internet of Things (IoT) encompasses any object or device that connects to the Internet to automatically send and/or receive data. This includes common office equipment, such as networked printers and photocopiers, devices that remotely or automatically adjust lighting or HVAC, security systems, such as security alarms and Wi-Fi cameras. Personal wearable devices that employees often bring to work, including fitness devices like Jawbone and Fitbit, smart watches like the Apple Watch and Android Wear, and Google Glass, are also part of the IoT. The IoT has grown very rapidly in recent years as technology companies create more devices with wireless internet capabilities and sensors, and internet access has become more widely available. The analyst firm Gartner estimates that 4.9 billion connected “things” are in use today and projects that number will rise to 25 billion by 2020.

Go

What’s at Stake in the Supreme Court’s Decision in Spokeo, Inc. v. Robins?

Spokeo, Inc. v. Robins—which involves the question of whether Congress, by authorizing a private right of action based on a violation of a federal statute, can confer Article III standing upon a plaintiff who has suffered no concrete harm—is one of the most eagerly anticipated decisions from the Supreme Court’s October 2015 term.  The petitioner’s and respondent’s primary briefing have now been filed with the Court, offering a glimpse into the arguments that we will see at oral argument in the fall.  Significantly, in their briefing, Spokeo and Robins both emphasize the potential impact of this decision not only for the future of privacy and data-breach litigation, but also for the scope of the federal courts’ Article III jurisdiction in general.

Go

Department of Homeland Security: “The C-Suite and Cybersecurity”

Federal and state cybersecurity agencies teamed up last week for a two-day summit focused on the evolving nature of cybersecurity threats to New Jersey businesses.  The event was sponsored by the U.S. Department of Homeland Security’s (“DHS”) Critical Infrastructure Cybersecurity Voluntary Program and The New Jersey Office of Homeland Security and Preparedness.

Go

Second Circuit Hears Argument in Microsoft Appeal: How Far Does a U.S. Warrant Reach?

In a 90-minute hearing earlier today, Microsoft Corp. asked the Second Circuit Court of Appeals to reverse a district court decision forcing the technology giant to turn over customer email traffic residing on a server in Ireland. American companies with data centers located outside the U.S., as well as privacy advocates and media organizations are closely watching this case.  During the argument, the Court acknowledged that the “implications of its ruling would be broad.”

Go

Upcoming Oral Argument in US v. Microsoft: Does a U.S. Warrant Apply to Email Stored on a Foreign Server?

On September 9th, the Second Circuit Court of Appeals will hear a case with global business, technology, and legal implications. The case, United States v. Microsoft, presents a deceptively simple question: What’s a multinational company to do when it receives a U.S. court order to turn over customer emails that are stored on a server in a foreign country and that may be subject to different data privacy laws?

Go

Steering Clear of Broken Promises

With last week’s ruling by the Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corp. solidifying the Federal Trade Commission’s authority to enforce data security practices, organizations that use online computers to store customer information should take notice.  Since 2005, the FTC has stepped up its enforcement efforts and has entered into more than 50 consent decrees relating to cybersecurity matters.  

Go