The Weekly Privacy Rewind


Global Shipping Company Svitzer Announces First Data Breach Under Australian Data Breach Notification Laws

• Global shipping company Svitzer has the dubious distinction of being the first company to provide notice under Australia’s new data breach notification law, notifying the Office of the Australian Information Commissioner (the OAIC) and almost 500 Australian employees of a breach that exposed tax file numbers, superannuation account numbers and the names of next of kin, among other things.

• Under the new law, companies and Australian government agencies are required to disclose a breach if the data includes personal information that is likely to result in serious harm.

• The OAIC said that it “will assess the information in the notification and decide if any further action is required.”

Continue Reading

Court Limits 2015 Text Marketing Rules, Gives New FCC an Opportunity to Provide Clarity

On March 16, the D.C. Circuit issued a long-awaited decision in a challenge to the Federal Communications Commission’s July 10, 2015 Declaratory Ruling and Order regarding the Telephone Consumer Protection Act (the July 2015 Order). We have previously explained the challenges created by the July 2015 Order here and here.

On the whole, the unanimous 3-0 Decision offers some good news for businesses: the court struck down the FCC’s broad definition of “autodialer” (or ATDS) as unreasonably and impermissibly expansive, and held that the FCC’s interpretation of ATDS functionality was so lacking in clarity as to fail the requirement of reasoned decision-making. The court also found that the FCC’s liability approach for calls to reassigned numbers unintentionally contacted by advertisers with the prior subscriber’s consent was arbitrary and capricious. However, the Decision upheld the FCC’s positions that consumers must be able to withdraw consent to telemarketing by any reasonable means, as opposed to only certain manners designated by the advertiser, and upheld the limited scope of exemptions for healthcare messages.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Facebook Cannot Evade Suit Under Illinois’ Biometric Information Privacy Act Even Where No Proof of Harm

• In separate rulings handed down last week in the Northern District of California, the court refused to dismiss a case against Facebook under Illinois’ Biometric Information Privacy Act (BIPA) on Article III standing grounds.

• According to the court, allegations that Facebook did not follow BIPA’s notice and consent procedures was enough to establish Article III standing under the Supreme Court’s Spokeo

• Whether the plaintiffs can demonstrate that they constitute “aggrieved parties” under BIPA is still an open question.

Continue Reading

Online Merchant Cited for Inadequate Interest-Based Advertising Disclosures

Liftopia, an e-commerce platform that enables ski resorts to sell advance-purchase tickets online, was cited in a recent decision by the Better Business Bureau’s Online Interest-Based Advertising Accountability Program (OIBAAP) for failing to provide consumers with sufficient notice and choice relating to the collection of data for targeted ads and the serving of interest-based advertising (IBA), including ad retargeting, as required by the Digital Advertising Alliance (DAA) Principles.

Continue Reading

Colorado Legislature Signals That It May Create More Stringent Data Destruction Regulations and Tighten Breach Reporting Requirements

In January 2018, Colorado legislators sponsored a bill that, if passed, will change the state’s existing data breach reporting laws in important ways. A House Committee Report detailing the current version of the bill can be found here. The bill would create a new statute, C.R.S. § 6-1-713.5, titled Protection of Personal Identifying Information, which amends the existing statutes C.R.S. § 6-1-713, governing the disposal of personal identifying information, and C.R.S. § 6-1-716, Notification of Security Breach. Included in these proposed changes are the following amendments:

Continue Reading

The Video Privacy Protection Act: Watching the Courts Through Crossed Eyes

The Video Privacy Protection Act (VPPA), passed by Congress in 1988, is intended to prevent a “video tape service provider” from “knowingly” disclosing an individual’s “personally identifiable information” (PII) to third parties where that individual “requested or obtained … video materials,” such as “prerecorded video cassette tapes or similar audio visual materials.” At the time the law was passed, Congress had providers such as Blockbuster and visual materials such as VHS tapes in mind. The VPPA may now seem outdated, yet the law’s general language has led to several lawsuits over PII linked to digital video materials, such as online video-streaming services, forcing courts to struggle with the application of old law to new technology.

Continue Reading

California Facebook Decision At Odds With Illinois Courts

On February 26, 2018, the United States District Court for the Northern District of California denied Facebook, Inc.’s motion to dismiss the plaintiffs’ consolidated class action complaint for failure to allege a concrete injury in fact under Federal Rule of Civil Procedure 12(b)(1). Plaintiffs alleged Facebook’s “Tag Suggestions” violated the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., by collecting users’ biometric data secretly and without consent. Facebooks’ Tag Suggestions program uses “state-of-the-art facial recognition technology” to create and store digital representations called “templates” of people’s faces based on the geometric relationship of an individual’s unique facial features, such as, “the distance between [a person’s] eyes, nose and ears.” The basis of the court’s review was whether the complaint’s allegations were insufficient on their face to invoke federal jurisdiction. Citing Spokeo Inc. v. Robins, 136 S. Ct. 1540 (2016) (“Spokeo I”), the court stated that an intangible harm, such as the violation of a procedural right granted by statute, can be sufficient in some circumstances to constitute injury in fact. The court extended this analysis to apply to state statutes based on Ninth Circuit case law. The dispositive inquiry, according to the court, was whether the statutory provisions were established to protect the plaintiffs’ concrete interest, and the specifically alleged procedural violations “actually harm or present a material risk of harm” to those interests. In summary fashion, the court concluded that BIPA codified a right of privacy in personal biometric information. According to the California court, BIPA vests Illinois residents with the “right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent.” The court held that abrogating the procedural rights mandated by BIPA necessarily amounts to a “concrete injury.” Based on this analysis, the court concluded that Facebook’s alleged disregard for Illinois’ notice and consent procedures under BIPA caused the precise harm the legislature sought to prevent—the right of an individual to maintain her biometric privacy. Facebook argued that collecting biometrics without notice or consent requires “real-world harms” to support Article III standing. The court disagreed relying on Spokeo I and Ninth Circuit cases that recognize violation of a statutory procedural right in itself can be a sufficient injury.

Continue Reading

Blockchain ‘Smart Contracts’ – A New Transactional Framework

While the term “smart contract” has created some confusion, there is a growing buzz around these powerful and flexible software programs. With the support of a host of key players across multiple industry sectors spurring development, smart contracts continue to see an array of new applications. Partner Laura Jehl and Associate Brian Bartish detail some examples of these use cases and provide an overview of the technology behind smart contracts. They also discuss the risks and considerations that business should be aware of when considering whether smart contracts can help them operate more efficiently. Read the full article to learn more about how this blockchain technology is reshaping the way businesses transact.

SEC Clarifies Existing Cybersecurity Disclosure Guidance

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued cybersecurity disclosure guidance for public companies (“SEC Guidance”) that, according to SEC Chair Jay Clayton, “reinforces and expands” on the SEC Division of Corporation Finance’s prior guidance from 2011 (“Corp Fin Guidance” as we previously covered) regarding disclosure requirements under the federal securities laws and related policies and procedures. Chair Clayton indicated that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”

Continue Reading

When Obscurity Is Not a Defense

Many organizations facing a data-security incident struggle to understand how or why their organization was targeted in an attack. Most simply believe they are too small or too obscure to be targeted by malicious cyber actors. Even larger, well-known businesses are lulled into complacency, mistaking years without a major security incident as evidence that their business is an unlikely target, or believing that a small corner of their business, perhaps the new cloud instance they’re testing, will go unnoticed. They reason that with bigger or more prominent fish in the ocean, their relative obscurity is a strong line of defense. But this reasoning misunderstands how victims of cyber attacks typically become victims, and how easy it is for attackers to find and compromise vulnerable targets across the internet. While some victims are targeted for a specific purpose, especially by nation-state actors, many are not. More often they are opportunistic victims or victims of collateral damage directed at others. Understanding how attackers target victims is critical to proper network defense and to accurately assessing an organization’s risk scenarios.

Continue Reading