Class Actions

Facebook Cannot Evade Suit Under Illinois’ Biometric Information Privacy Act Even Where No Proof of Harm

• In separate rulings handed down last week in the Northern District of California, the court refused to dismiss a case against Facebook under Illinois’ Biometric Information Privacy Act (BIPA) on Article III standing grounds.

• According to the court, allegations that Facebook did not follow BIPA’s notice and consent procedures was enough to establish Article III standing under the Supreme Court’s Spokeo

• Whether the plaintiffs can demonstrate that they constitute “aggrieved parties” under BIPA is still an open question.

EU/GDPR

U.K.’s Information Commissioner’s Office Closes Investigation of WhatsApp

  • Based on assurances that WhatsApp had not shared any user data with Facebook – which acquired the popular messaging service in 2014 – beyond data shared for basic data processing purposes, the U.K.’s Information Commissioner’s Office closed its investigation of WhatsApp without seeking a fine.
  • WhatsApp agreed not to share personal data with Facebook until it was in compliance with GDPR. Information Commissioner Elizabeth Denham commended WhatsApp for its pledge, but cautioned that her agency would be closely monitoring WhatsApp’s adherence.

FBI

FBI Director Vows to Recognize Corporations That Suffer Data Breaches as Victims

  • At the second annual Boston Conference on Cyber Security last Wednesday, FBI Director Christopher Wray urged private businesses to promptly alert the FBI after a cyberattack.
  • Recognizing that there are concerns from the business community that companies are sometimes reluctant to inform the FBI about breaches on the belief that the Bureau will share that information with regulatory agencies, Director Wray vowed to “treat victim companies as victims” and pledged not to share information with what he described as the Bureau’s “less-enlightened” counterparts on the regulatory side.

SEC

SEC Chairman Clayton Signals Agency Will Closely Scrutinize Compliance With Cybersecurity Guidance

  • Speaking to investors at the Council for Institutional Investor’s semiannual conference, SEC Chairman Clayton said that the Commission will make corporations’ response to the SEC guidance on disclosure of data breaches a “focal point for staff review.”
  • This follows on the heels of the SEC’s February guidance that requires publicly traded companies to disclose cybersecurity risks and breaches that are likely to have a material impact on stock prices.
  • According to Chairman Clayton, companies should be putting substantial work into figuring out their disclosure obligations under current rules.

State AGs

Pennsylvania AG Shapiro Sues Uber Over 2016 Data Breach

  • In a lawsuit filed last week, Pennsylvania Attorney General Josh Shapiro sued Uber Technologies Inc. (Uber) for violations of Pennsylvania’s Breach of Personal Information Notification Act (the Act).
  • According to AG Shapiro, rather than notify impacted consumers within a reasonable amount of time, as required by the Act, “Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet.”
  • In what may become a test case for what constitutes a reasonable time frame to provide notification of a data breach, Uber could be subject to fines of up to $1,000 per violation of the Act, or $13.5 million. AG Shapiro’s suit also alleges that Uber’s violations of the Act constitute separate violations of Pennsylvania’s Consumer Protection Law, which could subject the ride-sharing giant to further penalties.

Self-regulation

Liftopia Agrees to Comply With Digital Advertising Alliance Self-regulatory Principles

  • Liftopia Inc. (Liftopia), a California-based company that provides a platform for ski resorts to sell online lift tickets, agreed to adhere to the Self-Regulatory Principles for internet-based advertising propounded by the Digital Advertising Alliance (the DAA).
  • According to the Online Interest-Based Advertising Accountability Program (the Accountability Program), Liftopia was allowing third parties to collect user data without providing enhanced notice required under the DAA.
  • When notified by the DAA that it was not in compliance, Liftopia made recommended changes to its website to come into full compliance with the Self-Regulatory Principles for Online Behavioral Advertising, and the Accountability Program determined that Liftopia now is in full compliance.