The Weekly Privacy Rewind

Class Actions

Facebook Cannot Evade Suit Under Illinois’ Biometric Information Privacy Act Even Where No Proof of Harm

• In separate rulings handed down last week in the Northern District of California, the court refused to dismiss a case against Facebook under Illinois’ Biometric Information Privacy Act (BIPA) on Article III standing grounds.

• According to the court, allegations that Facebook did not follow BIPA’s notice and consent procedures was enough to establish Article III standing under the Supreme Court’s Spokeo

• Whether the plaintiffs can demonstrate that they constitute “aggrieved parties” under BIPA is still an open question.

Continue Reading

Online Merchant Cited for Inadequate Interest-Based Advertising Disclosures

Liftopia, an e-commerce platform that enables ski resorts to sell advance-purchase tickets online, was cited in a recent decision by the Better Business Bureau’s Online Interest-Based Advertising Accountability Program (OIBAAP) for failing to provide consumers with sufficient notice and choice relating to the collection of data for targeted ads and the serving of interest-based advertising (IBA), including ad retargeting, as required by the Digital Advertising Alliance (DAA) Principles.

Continue Reading

Colorado Legislature Signals That It May Create More Stringent Data Destruction Regulations and Tighten Breach Reporting Requirements

In January 2018, Colorado legislators sponsored a bill that, if passed, will change the state’s existing data breach reporting laws in important ways. A House Committee Report detailing the current version of the bill can be found here. The bill would create a new statute, C.R.S. § 6-1-713.5, titled Protection of Personal Identifying Information, which amends the existing statutes C.R.S. § 6-1-713, governing the disposal of personal identifying information, and C.R.S. § 6-1-716, Notification of Security Breach. Included in these proposed changes are the following amendments:

Continue Reading

The Video Privacy Protection Act: Watching the Courts Through Crossed Eyes

The Video Privacy Protection Act (VPPA), passed by Congress in 1988, is intended to prevent a “video tape service provider” from “knowingly” disclosing an individual’s “personally identifiable information” (PII) to third parties where that individual “requested or obtained … video materials,” such as “prerecorded video cassette tapes or similar audio visual materials.” At the time the law was passed, Congress had providers such as Blockbuster and visual materials such as VHS tapes in mind. The VPPA may now seem outdated, yet the law’s general language has led to several lawsuits over PII linked to digital video materials, such as online video-streaming services, forcing courts to struggle with the application of old law to new technology.

Continue Reading

California Facebook Decision At Odds With Illinois Courts

On February 26, 2018, the United States District Court for the Northern District of California denied Facebook, Inc.’s motion to dismiss the plaintiffs’ consolidated class action complaint for failure to allege a concrete injury in fact under Federal Rule of Civil Procedure 12(b)(1). Plaintiffs alleged Facebook’s “Tag Suggestions” violated the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., by collecting users’ biometric data secretly and without consent. Facebooks’ Tag Suggestions program uses “state-of-the-art facial recognition technology” to create and store digital representations called “templates” of people’s faces based on the geometric relationship of an individual’s unique facial features, such as, “the distance between [a person’s] eyes, nose and ears.” The basis of the court’s review was whether the complaint’s allegations were insufficient on their face to invoke federal jurisdiction. Citing Spokeo Inc. v. Robins, 136 S. Ct. 1540 (2016) (“Spokeo I”), the court stated that an intangible harm, such as the violation of a procedural right granted by statute, can be sufficient in some circumstances to constitute injury in fact. The court extended this analysis to apply to state statutes based on Ninth Circuit case law. The dispositive inquiry, according to the court, was whether the statutory provisions were established to protect the plaintiffs’ concrete interest, and the specifically alleged procedural violations “actually harm or present a material risk of harm” to those interests. In summary fashion, the court concluded that BIPA codified a right of privacy in personal biometric information. According to the California court, BIPA vests Illinois residents with the “right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent.” The court held that abrogating the procedural rights mandated by BIPA necessarily amounts to a “concrete injury.” Based on this analysis, the court concluded that Facebook’s alleged disregard for Illinois’ notice and consent procedures under BIPA caused the precise harm the legislature sought to prevent—the right of an individual to maintain her biometric privacy. Facebook argued that collecting biometrics without notice or consent requires “real-world harms” to support Article III standing. The court disagreed relying on Spokeo I and Ninth Circuit cases that recognize violation of a statutory procedural right in itself can be a sufficient injury.

Continue Reading

Blockchain ‘Smart Contracts’ – A New Transactional Framework

While the term “smart contract” has created some confusion, there is a growing buzz around these powerful and flexible software programs. With the support of a host of key players across multiple industry sectors spurring development, smart contracts continue to see an array of new applications. Partner Laura Jehl and Associate Brian Bartish detail some examples of these use cases and provide an overview of the technology behind smart contracts. They also discuss the risks and considerations that business should be aware of when considering whether smart contracts can help them operate more efficiently. Read the full article to learn more about how this blockchain technology is reshaping the way businesses transact.

SEC Clarifies Existing Cybersecurity Disclosure Guidance

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued cybersecurity disclosure guidance for public companies (“SEC Guidance”) that, according to SEC Chair Jay Clayton, “reinforces and expands” on the SEC Division of Corporation Finance’s prior guidance from 2011 (“Corp Fin Guidance” as we previously covered) regarding disclosure requirements under the federal securities laws and related policies and procedures. Chair Clayton indicated that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”

Continue Reading

When Obscurity Is Not a Defense

Many organizations facing a data-security incident struggle to understand how or why their organization was targeted in an attack. Most simply believe they are too small or too obscure to be targeted by malicious cyber actors. Even larger, well-known businesses are lulled into complacency, mistaking years without a major security incident as evidence that their business is an unlikely target, or believing that a small corner of their business, perhaps the new cloud instance they’re testing, will go unnoticed. They reason that with bigger or more prominent fish in the ocean, their relative obscurity is a strong line of defense. But this reasoning misunderstands how victims of cyber attacks typically become victims, and how easy it is for attackers to find and compromise vulnerable targets across the internet. While some victims are targeted for a specific purpose, especially by nation-state actors, many are not. More often they are opportunistic victims or victims of collateral damage directed at others. Understanding how attackers target victims is critical to proper network defense and to accurately assessing an organization’s risk scenarios.

Continue Reading

Recent OCR Newsletter Highlights Growing Cyber Extortion Threat for Healthcare Organizations

The OCR’s January 2018 newsletter details specific types of cyber extortion that healthcare organizations are currently encountering, including ransomware, denial of service attacks, distributed denial of service attacks and theft of protected health information (PHI). Each type of attack poses unique challenges that may affect an organization in different ways. However, all cyber extortion disrupts a healthcare organization’s day-to-day operations on some level and, in some cases, its ability to care for its patients. The OCR identified the four most frequent cyber extortion trends as follows:

Continue Reading

Looking Back: The Federal Trade Commission Issues Annual Data Privacy Report for 2017

On Jan. 18, 2018, the Federal Trade Commission (FTC) published its Annual Privacy and Data Security Update. The update is helpful to businesses in that it recaps the efforts and areas of involvement the FTC has targeted in the past year as well as guides data protection strategies for 2018. The report provides a detailed review of the FTC’s areas of enforcement and international privacy protection updates, as well as the FTC’s domestic educational and cyber initiatives in 2017.

Continue Reading