Category: Marketing & Consumer Privacy

A little over two weeks ago, T-Mobile became the latest victim of a cyberattack when more than 50 million of their customers’ data was stolen.  In the ensuing weeks, three class action suits have been filed against the telephone carrier alleging a range of violations.  Included in two of them are alleged violations of the California Consumer Privacy Act, one of them includes alleged violations of the Washington State Consumer Protection Act, and the third fails to allege any violations of state data security laws.  Three House Representatives pointed to the breach as a reminder as to why there needs to be a national privacy and data security law.  One such bill is the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.

As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.

Last month, the Food & Drug Administration (FDA) issued a long-awaited revision to its Policy for Device Software Functions and Mobile Medical Applications Medical App - Guidance for Industry and Food and Drug Administration Staff (the Guidance).  The revised Guidance was among several newly announced policies aimed at advancing the FDA’s digital health initiative that promotes innovation, while also permitting efficient and up-to-date regulatory oversight.

It’s been a tough week for the healthcare industry.

Just days after Quest Diagnostics reported a breach at a third-party vendor affecting approximately 11.9 million of its patients, LabCorp disclosed that a breach at the same vendor exposed the personal and financial data of 7.7 million of its customers.

In a ruling with wide-spread implications, the Illinois Supreme Court on Friday upheld a consumer’s right to sue companies for collecting biometric data – such as finger prints and iris scans – without disclosing how such information will be used.

Last week, the U.S. Court of Appeals for the Eighth Circuit affirmed the district court’s approval of a $17 million settlement between Target Corp. and consumers whose credit card data was compromised in the 2013 data breach. In one of the largest data breaches to hit U.S. retailers, hackers stole information from 40 million credit and debit cards during the 2013 holiday season.

Yesterday, we reported that the Department of Justice has asked the U.S. Supreme Court to remand its dispute with Microsoft Corp. concerning access to customer emails stored abroad to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.  The government argued that the newly enacted “CLOUD” Act clarifies prior law and makes clear that information stored abroad can, under certain circumstances, be subject to a domestic warrant.  The government added that it obtained a new warrant for Microsoft to turn over the requested information in the days following the CLOUD Act’s passage.

Is the risk of future harm enough to satisfy Article III standing in a data breach suit? That’s the question courts of appeals around the country are wrestling with now – and reaching opposing results. The U.S. Court of Appeals for the Ninth Circuit is the latest to wade into this debate on data breach standing in its recent opinion, In re Zappos.Com, Inc., Customer Data Security Breach Litigation.

A recent federal appellate ruling delivered a significant blow to invasion of privacy claims based on facial recognition technology used to scan users’ faces that are then put on their personalized players “in-game,” allowing them to play side-by-side with basketball stars in a popular video game.

The Supreme Court is poised to finally answer the question that’s been plaguing federal courts across the country:  must U.S. tech companies comply with warrants issued under the Stored Communications Act (“SCA”) that demand information from customer accounts that is stored on servers in a foreign country?

Since the massive data breach at Equifax Inc. was disclosed late Thursday (see our blog here), the news has only gotten worse for the Atlanta-based credit monitoring agency. 

A Pennsylvania man has filed a class action lawsuit against Aetna Inc., accusing it of violating his privacy rights when the insurer mailed him prescription information in an envelope with a large, clear window that disclosed instructions for filling HIV medication.

Another federal judge has rejected the U.S. Court of Appeals for the Second Circuit’s interpretation of the Stored Communications Act (SCA), and has ordered Google to hand over customer email traffic—wherever located—to U.S. law enforcement.  More than a year ago, the Second Circuit held that Microsoft Corp. was not required to produce customer emails stored on foreign servers in response to an SCA warrant.  Since then, the Second Circuit’s ruling has been rejected by three different federal courts around the country.

The Federal Trade Commission (FTC) – often criticized for not providing clear guidance as to what the agency considers reasonable data security – announced on Friday that it would publish a weekly blog discussing “lessons learned” from data security investigations that were closed without a formal enforcement action.

In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.

Facebook is the latest social media giant to push back on law enforcement efforts to seek user information.  On Tuesday, the New York Court of Appeals heard oral argument in a case focusing on whether Facebook has the right—or legal standing—to challenge bulk search warrants issued by the Manhattan District Attorney’s office for its users' data.  The case is In re 381 Search Warrants Directed to Facebook, Inc. and Dated July 23, 2013.

In a recent update to its widely used application, Uber has implemented a change in location settings that some users are not happy about.  Before the update, users could limit Uber’s ability to track their location to “only while using app.”  But the new update strips users of that option. 

The aftermath of Yahoo’s data breach has raised a number of questions from customers, law enforcement, and most recently six U.S. Senators.

This week, in the first post-Spokeo circuit court decision to address standing in a data breach class action, the Sixth Circuit joined the Seventh Circuit in holding that plaintiffs whose sensitive personal information has been obtained by hackers have Article III standing to sue based on the risk of future fraud and identity theft.

In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.

Last week, the U.S. Department of Homeland Security (“DHS”) and the U.S. Department of Justice (“DOJ”) provided guidance on an open question in the Cybersecurity Information Sharing Act (“CISA”): What type of information may companies share under CISA?

The Federal Trade Commission has decided to put off until late July a decision about whether to overturn a ruling by the agency’s chief administrative law judge in the closely watched data security action against LabMD, the Atlanta-based medical detection firm.  In a one-paragraph order issued late yesterday, the Commission extended the deadline for decision until July 28th “in order to give full consideration to the issues presented by the appeal in this proceeding.”

The Federal Trade Commission will host a one day-conference in Chicago at Northwestern’s Pritzker School of Law on June 15, 2016.  This event will be the fourth of the FTC’s Start with Security Events nationwide, which build on its publication of the same title Start with Security: A Guide for Business, released last June.

Yesterday, the Seventh Circuit held in Lewart v. P.F. Chang’s that customers who may have had personal information compromised in a P.F. Chang’s data breach have standing, at the motion-to-dismiss stage, to sue the company.  Given the Seventh Circuit’s 2015 opinion in Remijas v. Neiman Marcus, which involved similar facts, the decision in Lewart is not particularly surprising.  

Recent surveys tell us that cybersecurity is the top risk faced by corporate America.  The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern.  And their general counsel agree.  In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.