July 06, 2018

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Cybersecurity

11th Circuit Vacates FTC Order Against LabMD as Unenforceable

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP

The U.S. Court of Appeals for the Eleventh Circuit has vacated an order of the Federal Trade Commission (FTC) in an enforcement action that charged now-defunct medical laboratory LabMD, Inc. with having a security program that was so inadequate it constituted an “unfair act or practice” under the Federal Trade Commission Act. LabMD, Inc. v. FTC, No. 16-16270 (11th Cir. June 6, 2018). A LabMD billing employee had downloaded peer-to-peer file-sharing software on a computer, allegedly permitting external persons to access a file that contained personal information for 9,300 customers. An administrative law judge dismissed the FTC’s complaint, but the full Federal Trade Commission reversed on appeal, citing numerous security measures that LabMD failed to execute, and entered a cease-and-desist order that required LabMD to implement a reasonable security program.  

The court of appeals assumed arguendo that LabMD’s negligence in implementing a data security program was an unfair practice but found the FTC’s order was unenforceable. Rather than directing LabMD to stop committing a specific act, the order directed it to implement a security program that met an undefined standard of reasonableness. The order’s lack of specificity would require an enforcing court to micromanage LabMD’s business to the FTC’s satisfaction. While the order did not invalidate the FTC’s authority to regulate security, it is likely to change the level of detail the FTC will require in future enforcement orders.

Fourth Circuit Clarifies Standing Requirements in Data Breach Cases

By Shivani Patel, University of Virginia

The U.S. Court of Appeals for the Fourth Circuit recently held that Article III standing to sue in data breach cases is sufficiently established if an attempt to use stolen information to commit fraud has been made. In Hutton v. Nat’l Board of Examiners in Optometry, Inc., No. 17-1506 (4th Cir. June 12, 2018), a class comprising plaintiffs belonging to the National Board of Examiners in Optometry (NBEO) had their personal identification information stolen in the NBEO data breach. The district court dismissed their case for lack of standing, stating that neither had sufficient injury-in-fact been alleged nor had traceability to the NBEO. The court of appeals found that the plaintiffs were “concretely injured because fraudsters used—and attempted to use—[their] personal information to open Chase Amazon Visa credit card accounts without their knowledge or approval.” This, the court reasoned, caused the plaintiffs to expend time and money to enroll in credit-monitoring services and notify credit-reporting agencies and the IRS. Furthermore, the plaintiffs’ injury was sufficiently traceable to NBEO’s conduct; every plaintiff-optometrist who had a Chase Amazon account opened in their name belonged to the NBEO, which collected and stored their Social Security numbers and outdated personal information. Access to this information led to the breach. The court noted that other national optometry organizations did not store Social Security numbers, or they had confirmed that their data bases were secure. The court of appeals vacated the district court’s judgment and remanded for further proceedings.

Data Privacy

S.C. Supreme Finds Abandonment Negates Need for Warrant to Search Cell Phone

By Kendeil Dorvilier, Villanova University Charles Widger School of Law

From fingerprints to frequent contacts, cell phones have come to serve as personal databases, recording various aspects of our everyday lives. Yet in State v. Brown, No. 2015-002360 (S.C. June 13, 2018), the Supreme Court of South Carolina recently held that, despite the quantitative and qualitative difference between cell phones and other forms of personal property, a cell phone is still subject to the same abandonment analysis as any other piece of property. Law enforcement personnel found Lamar Brown’s cell phone at the scene of a burglary. Six days later, an officer correctly guessed the passcode, and then used the data stored in the phone to identify the suspect. The court held that, in leaving the phone behind after committing a crime, the petitioner could not reasonably expect to maintain any privacy interest in his phone. The warrantless search of the phone did not violate his Fourth Amendment protection from unreasonable searches and seizures because the cell phone was objectively deemed to be abandoned at the scene of the burglary.

SCOTUS Finds Warrantless Search of Motorcycle in Driveway Unconstitutional

By Eric M. Holleran, Georgetown University Law Center

The U.S. Supreme Court has held that the warrantless search of a vehicle parked within a home’s curtilage violated the U.S. Constitution and did not fall under the automobile exception, thus meriting the exclusion of evidence gained from the search. See Collins v. Virginia, 138 S. Ct. 1663 (2018). Police in Albemarle County, Virginia, searched a motorcycle possessed by Ryan Collins while the motorcycle was parked in the driveway of a home owned by Collins’s girlfriend. Believing the motorcycle to be the same vehicle involved in prior traffic violations, the police, without a warrant, searched the motorcycle, discovered that it was stolen, and arrested Collins for possession of stolen property. Collins was later indicted, despite his objection that the evidence from the search violated the Fourth Amendment’s Exclusionary Rule. Writing for the Court’s 8-1 decision, Justice Sonia Sotomayor drew a comparison between a vehicle parked in a home’s driveway, like in Collins, and a vehicle parked inside the home: the two scenarios are treated as identical, since a home’s curtilage receives the same Fourth Amendment protection as the home itself. As long as an automobile, whether car or motorcycle, is parked within a home’s curtilage, the fact that the vehicle is visible to the naked eye does not matter: as the Court has long affirmed, “a search is a search.” The sole dissenter, Justice Samuel Alito, argued that Collins turned on whether the search of the vehicle was reasonable, writing that the appropriate standard against which to measure was “the degree of intrusion on privacy” and that no invasion of privacy existed for a police officer walking up a driveway. Justice Sotomayor relied on a socio-economic argument to uphold privacy concerns, noting that Fourth Amendment protections are afforded to all members of society, without regard to income.  

E-Commerce

U.S. Government Seeks Stakeholder Comments on Future Internet Governance, Privacy, and Emerging Technology Priorities

By Donald R. Steinberg and Kirsten Donaldson, WilmerHale

On June 5, the National Telecommunications and Information Administration (NTIA), within the U.S. Department of Commerce, issued a notice requesting “comments and recommendations from all interested stakeholders on its international Internet policy priorities for 2018 and beyond.” The comments, due July 2, 2018, are intended to help NTIA identify the most important issues facing the Internet globally. In particular, the notice seeks comments on the following four categories: (1) the free flow of information and jurisdiction; (2) the multi-stakeholder approach to Internet governance; (3) privacy and security; and (4) emerging technologies and trends.

NTIA’s request for comments follows on the heels of the May 25, 2018, European Union General Data Protection Regulation (GDPR) rollout. The GDPR was designed to protect personal data privacy and harmonize data privacy laws across Europe, but causes concern to brand and copyright owners in that it requires redaction of critical identifying “WHOIS” information regarding website ownership from view—a substantial problem for those trying to combat counterfeiting and piracy online. The GDPR also poses several data privacy and security challenges for Internet, telecommunications, and global technology companies. Shaping NTIA and the U.S. Government’s global agenda related to “international information and communications technology policies” will be critical for brand and copyright owners seeking to protect their intellectual property within the new GDPR regime, as well as for Internet, telecommunications, and technology companies that may be impacted by post-GDPR US national and international discussions.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.