Cybersecurity
11th Circuit Vacates FTC Order Against LabMD as Unenforceable
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The U.S. Court of Appeals for the Eleventh Circuit has vacated an order of the Federal Trade Commission (FTC) in an enforcement action that charged now-defunct medical laboratory LabMD, Inc. with having a security program that was so inadequate it constituted an “unfair act or practice” under the Federal Trade Commission Act. LabMD, Inc. v. FTC, No. 16-16270 (11th Cir. June 6, 2018). A LabMD billing employee had downloaded peer-to-peer file-sharing software on a computer, allegedly permitting external persons to access a file that contained personal information for 9,300 customers. An administrative law judge dismissed the FTC’s complaint, but the full Federal Trade Commission reversed on appeal, citing numerous security measures that LabMD failed to execute, and entered a cease-and-desist order that required LabMD to implement a reasonable security program.
The court of appeals assumed arguendo that LabMD’s negligence in implementing a data security program was an unfair practice but found the FTC’s order was unenforceable. Rather than directing LabMD to stop committing a specific act, the order directed it to implement a security program that met an undefined standard of reasonableness. The order’s lack of specificity would require an enforcing court to micromanage LabMD’s business to the FTC’s satisfaction. While the order did not invalidate the FTC’s authority to regulate security, it is likely to change the level of detail the FTC will require in future enforcement orders.
Fourth Circuit Clarifies Standing Requirements in Data Breach Cases
By Shivani Patel, University of Virginia
The U.S. Court of Appeals for the Fourth Circuit recently held that Article III standing to sue in data breach cases is sufficiently established if an attempt to use stolen information to commit fraud has been made. In Hutton v. Nat’l Board of Examiners in Optometry, Inc., No. 17-1506 (4th Cir. June 12, 2018), a class comprising plaintiffs belonging to the National Board of Examiners in Optometry (NBEO) had their personal identification information stolen in the NBEO data breach. The district court dismissed their case for lack of standing, stating that neither had sufficient injury-in-fact been alleged nor had traceability to the NBEO. The court of appeals found that the plaintiffs were “concretely injured because fraudsters used—and attempted to use—[their] personal information to open Chase Amazon Visa credit card accounts without their knowledge or approval.” This, the court reasoned, caused the plaintiffs to expend time and money to enroll in credit-monitoring services and notify credit-reporting agencies and the IRS. Furthermore, the plaintiffs’ injury was sufficiently traceable to NBEO’s conduct; every plaintiff-optometrist who had a Chase Amazon account opened in their name belonged to the NBEO, which collected and stored their Social Security numbers and outdated personal information. Access to this information led to the breach. The court noted that other national optometry organizations did not store Social Security numbers, or they had confirmed that their data bases were secure. The court of appeals vacated the district court’s judgment and remanded for further proceedings.
Data Privacy
S.C. Supreme Finds Abandonment Negates Need for Warrant to Search Cell Phone
By Kendeil Dorvilier, Villanova University Charles Widger School of Law
From fingerprints to frequent contacts, cell phones have come to serve as personal databases, recording various aspects of our everyday lives. Yet in State v. Brown, No. 2015-002360 (S.C. June 13, 2018), the Supreme Court of South Carolina recently held that, despite the quantitative and qualitative difference between cell phones and other forms of personal property, a cell phone is still subject to the same abandonment analysis as any other piece of property. Law enforcement personnel found Lamar Brown’s cell phone at the scene of a burglary. Six days later, an officer correctly guessed the passcode, and then used the data stored in the phone to identify the suspect. The court held that, in leaving the phone behind after committing a crime, the petitioner could not reasonably expect to maintain any privacy interest in his phone. The warrantless search of the phone did not violate his Fourth Amendment protection from unreasonable searches and seizures because the cell phone was objectively deemed to be abandoned at the scene of the burglary.
SCOTUS Finds Warrantless Search of Motorcycle in Driveway Unconstitutional
By Eric M. Holleran, Georgetown University Law Center
The U.S. Supreme Court has held that the warrantless search of a vehicle parked within a home’s curtilage violated the U.S. Constitution and did not fall under the automobile exception, thus meriting the exclusion of evidence gained from the search. See Collins v. Virginia, 138 S. Ct. 1663 (2018). Police in Albemarle County, Virginia, searched a motorcycle possessed by Ryan Collins while the motorcycle was parked in the driveway of a home owned by Collins’s girlfriend. Believing the motorcycle to be the same vehicle involved in prior traffic violations, the police, without a warrant, searched the motorcycle, discovered that it was stolen, and arrested Collins for possession of stolen property. Collins was later indicted, despite his objection that the evidence from the search violated the Fourth Amendment’s Exclusionary Rule. Writing for the Court’s 8-1 decision, Justice Sonia Sotomayor drew a comparison between a vehicle parked in a home’s driveway, like in Collins, and a vehicle parked inside the home: the two scenarios are treated as identical, since a home’s curtilage receives the same Fourth Amendment protection as the home itself. As long as an automobile, whether car or motorcycle, is parked within a home’s curtilage, the fact that the vehicle is visible to the naked eye does not matter: as the Court has long affirmed, “a search is a search.” The sole dissenter, Justice Samuel Alito, argued that Collins turned on whether the search of the vehicle was reasonable, writing that the appropriate standard against which to measure was “the degree of intrusion on privacy” and that no invasion of privacy existed for a police officer walking up a driveway. Justice Sotomayor relied on a socio-economic argument to uphold privacy concerns, noting that Fourth Amendment protections are afforded to all members of society, without regard to income.
E-Commerce
U.S. Government Seeks Stakeholder Comments on Future Internet Governance, Privacy, and Emerging Technology Priorities
By Donald R. Steinberg and Kirsten Donaldson, WilmerHale
On June 5, the National Telecommunications and Information Administration (NTIA), within the U.S. Department of Commerce, issued a notice requesting “comments and recommendations from all interested stakeholders on its international Internet policy priorities for 2018 and beyond.” The comments, due July 2, 2018, are intended to help NTIA identify the most important issues facing the Internet globally. In particular, the notice seeks comments on the following four categories: (1) the free flow of information and jurisdiction; (2) the multi-stakeholder approach to Internet governance; (3) privacy and security; and (4) emerging technologies and trends.
NTIA’s request for comments follows on the heels of the May 25, 2018, European Union General Data Protection Regulation (GDPR) rollout. The GDPR was designed to protect personal data privacy and harmonize data privacy laws across Europe, but causes concern to brand and copyright owners in that it requires redaction of critical identifying “WHOIS” information regarding website ownership from view—a substantial problem for those trying to combat counterfeiting and piracy online. The GDPR also poses several data privacy and security challenges for Internet, telecommunications, and global technology companies. Shaping NTIA and the U.S. Government’s global agenda related to “international information and communications technology policies” will be critical for brand and copyright owners seeking to protect their intellectual property within the new GDPR regime, as well as for Internet, telecommunications, and technology companies that may be impacted by post-GDPR US national and international discussions.