November 30, 2017

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Data Privacy

D.C. Court of Appeals Requires Search Warrant for Cell Site Simulator Tracking

By Ed McAndrew, Ballard Spahr

The District of Columbia Court of Appeals recently reversed the robbery and sexual assault convictions of a man whose location was tracked through the use of a cell site simulator, or Stingray device, without a warrant. Jones v. U.S., No. 15-CF-322, (D.C. App. Sept. 21, 2017).

The court held that a law enforcement agency’s tracking of the location of a particular person by using a simulator that attracts the cellular signals of the person’s cellphone violates that person’s reasonable expectation of locational privacy. The government generally must obtain a search warrant before using a cell site simulator to determine a person’s location. The D.C. Court of Appeals joins state and federal courts in Maryland, New York. These courts have rejected the government’s argument that individuals have no reasonable expectation of privacy in digital signals that their devices emit to third parties, an argument that the Supreme Court will take up in U.S. v. Carpenter.

FTC and Dept. of Education Announce December Ed Tech Workshop

By Heidi Kuffel, Skarzynski Black LLC

The U.S. Federal Trade Commission and the U.S. Department of Education will host a December 1, 2017, workshop addressing the intersection of Ed Tech, COPPA and FERPA. Educational technology (Ed Tech) affords students access to personal technology issued by schools. However, with access to technology comes privacy issues. For example, the Children’s Online Privacy Protection Act (COPPA) requires parental consent before owners or operators of websites can collect, disclose, or use personal information of children aged 13 and under, and the Family Educational Rights and Privacy Act (FERPA) also serves to protect student record privacy.

FTC Announces December Workshop on Informational Injury

By Heidi Kuffel, Skarzynski Black LLC

To date, the U.S. Federal Trade Commission has brought over 500 privacy and data security-related cases involving unfair or deceptive business practices relating to consumer injury. The FTC will host a workshop on December 12, 2017, to assist in understanding the risks associated with misuse of consumer information. The workshop will focus on identifying the various types of injuries that stem from misuse of consumer information, analysis on how best to categorize the injuries, and a review of the way in which both consumers and businesses perform cost/benefit analyses in sharing or collecting information with regard to the potential for misuse.

Washington Constitution Protects State Employees’ Privacy

By Sherri Marie Carr, The S.M. Carr Law Firm, Ltd. Co.

The Washington Court of Appeals recently held there is a “protected expectation of privacy” in state employees’ birthdates accompanying their full names based on the Washington State Constitution. Wash. Pub. Emps. Ass’n, UFCW Local 365 v. Wash. State Ctr. for Childhood Deafness & Hearing Loss, No. 49224-5-II (Wash. App. Oct. 31, 2017). The Freedom Foundation sought such information through a public records request from several agencies to further their “worker education project to inform eligible state employees that they have a constitutional right to opt-out of paying union dues.” Multiple unions fought to protect their state employees’ information from disclosure in response to the request. The court determined it is not in the public interest to reveal publicly such information and that revealing such information would irreparably harm those state employees.

Cyber-Security

NIST Releases Revised Discussion Draft

By James R. Steel III, Skarzynski Black LLC

On September 28, 2017, the National Institute for Standards announced the release of a discussion draft of Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. One of the major focuses of the updated draft is providing processes for integrating C-suite-level executives into the Risk Management Framework (RMF) and institutionalizing risk management preparatory activities at the organizational level. The updated draft also integrates key privacy concepts into the RMF in an effort to promote a holistic application of security, privacy, and risk management concepts.

Vermont Attorney General Imposes Fine for Data Breach

By Michael Silvestro, Skarzynski Black LLC

Following an investigation by Vermont’s attorney general, a North Carolina–based technology company will pay a $264,000 fine following a data breach. In July 2016, the company allowed a spreadsheet containing 660 Social Security numbers to be viewed publicly without authentication. The publication of this data was reported by a consumer. The fine amount corresponds to $400 per published Social Security number.

Hilton Data-Breach Settlement Reached

By Sherri Marie Carr, The S.M. Carr Law Firm, Ltd. Co.

On October 31, 2017, the attorneys general for New York and Vermont announced a settlement with Hilton Domestic Operating Company, Inc., formerly Hilton Worldwide, Inc. (Hilton) concerning two data breaches that exposed more than 350,000 credit card numbers. Because Hilton waited over nine months to disclose the first breach to their customers after learning of it on February 10, 2015, and waited over three months the second time after learning of the breach on July 10, 2015, the $700,000 settlement necessitates that Hilton must reveal breaches in a much more timely manner and abide by applicable standards governing data security. New York General Business Law § 899-aa(2) mandates that the type of data breaches Hilton faced needed to be disclosed without unreasonable delay and within the “most expedient time possible.”

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.