April 02, 2018

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Cybersecurity

Oregon Revises Data Breach Notification Law

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP  

On March 23, 2018, the Governor of Oregon signed a revised data breach notification law that takes effect in June. The law requires businesses that have suffered a data breach to notify affected consumers within 45 days, although delay may be permitted if requested by law enforcement. The law joins a growing trend of statutes that prohibit credit-reporting agencies from charging consumers to place a freeze on their credit reports. A notifying company that offers to provide free credit-monitoring services to affected consumers cannot condition acceptance of those services on the consumer providing a credit or debit card number, and any fees to be charged for additional services must be clearly explained to the consumer.

Data Privacy

Facebook Under the Gun

By Sherri Marie Carr, The S.M. Carr Law Firm, Ltd. Co.

The United States Senate sent a letter dated March 19, 2018 to Facebook's Chairman and CEO Mark Zuckerberg. In the letter, Facebook's user privacy policies are called into question and are being investigated by the United States Senate based on actions involving a personality test app on Facebook by Strategic Communications Laboratories (SCL) and Cambridge Analytica. Approximately 50 million Facebook users were impacted by privacy issues involving their data. The United Kingdom's Information Commissioner's Office is also investigating this data privacy issue involving Facebook.

Pennsylvania Takes Action Against Uber's Data Breach

By Sherri Marie Carr, The S.M. Carr Law Firm, Ltd. Co.

Did you hear about the Uber data breach that potentially impacted 57 million people? Uber knew of this data breach for over a year but failed to disclose it, and Pennsylvania's Attorney General Josh Shapiro filed a lawsuit on March 5, 2018, on behalf of the approximately 13,500 Pennsylvania Uber drivers affected by this breach. Attorney General Shapiro said, "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year—and actually paid the hackers to delete the data and stay quiet. That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians." This data breach is also being investigated by over 40 other state Attorneys General.

Ninth Circuit Finds Standing Based on Risk of Identity Theft

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP  

The U.S. Court of Appeals for the Ninth Circuit has added to the litany of decisions addressing whether risk of identity theft is sufficient for Article III standing in data-breach litigation. In re Zappos.com, Inc., Customer Data Breach Security Breach Litig., No. 16-16860 (9th Cir. Mar. 8, 2018). In 2012, hackers allegedly stole the personal information of more than 24 million customers of online retailer Zappos. The U.S. District Court for the District of Nevada dismissed for lack of Article III standing the claims of plaintiffs who raised no allegations that the stolen information about them was used. The court of appeals reversed and remanded, concluding that the plaintiffs’ risk of identity theft was sufficient for standing. The court found Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), remained binding precedent because it was not irreconcilable with Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013). In Krottner, the court of appeals held that plaintiffs, who were among the 97,000 Starbucks employees whose unencrypted names, addresses, and Social Security numbers were on a stolen laptop, had standing based on their increased risk of future identity theft. By contrast, in Clapper, the Supreme Court concluded that “an objectively reasonable likelihood” that communications of domestic persons would be acquired as a result of foreign surveillance was not sufficient for standing. The Zappos stolen information was akin to that in Krottner because it could be (and for other plaintiffs had been) used to commit identity theft.

Lottery Winner Can Remain Anonymous Based on Privacy Interests

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP  

A New Hampshire state court has held that the winner of a $560 million jackpot prize can remain anonymous in collecting her winnings. Doe v. N.H. Lottery Comm’n, No. 226-2018-CV-00036 (N.H. Super. Ct. Mar. 12, 2018). The winner signed the back of her winning ticket with her name, address, and phone number and then consulted an attorney, who informed her she could remain anonymous by having a trustee collect the prize on the winner’s behalf. The lottery commission, however, maintained that it would be required to reveal the information filled in on the back of the ticket if requested under the state right-to-know law, and any redaction of that information would be a prohibited alteration. In Doe’s suit against the commission for permission to remain anonymous, she cited to articles about other lottery winners being solicited, harassed, and threatened, and noted that her lawyers had in fact already received solicitations for money. Accordingly, the court held that the winner’s privacy interests outweighed the public interest in disclosing her identity. In contrast, the winner’s hometown could be disclosed because it was unlikely Doe would be identified based on that revelation. The commission will not appeal the ruling.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.