Data Privacy
Every Move You Make: SCOTUS Says Warrant Needed for Cell-Site Location Data
By Christopher Merken, Villanova University Charles Widger School of Law
The U.S. Supreme Court has held that a warrant is necessary to obtain a person’s location data recorded by cell-phone network sites. In Carpenter v. United States, 585 U.S. __ (2018), federal prosecutors failed to obtain a warrant before acquiring a defendant’s cell-site location information, which tied the defendant to a string of robberies. In a narrow ruling, the Supreme Court held that accessing these records constitutes a search and generally requires a search warrant because cell-site location information (1) contains a detailed and comprehensive record of the user’s movements, and (2) does not fall under the third-party doctrine, under which a user has ceded Fourth Amendment protections by exposing information to a third party. The Court noted “special solicitude for location information in the third-party context,” citing United States v. Jones, 565 U.S. 400 (2012), where the Court held that GPS monitoring of even a vehicle traveling on public streets constituted a search. The Court found that cell-site location data creates a “detailed chronicle of a person’s physical presence compiled every day, every moment, over several years,” implicating privacy concerns far beyond the third-party doctrine, and declined to “grant the state unrestricted access to a wireless carrier’s database of physical location information.”
California Enacts Voter Data Breach Reporting Legislation
By Joel Glazer, Temple University Beasley School of Law
To safeguard voter-data security, California has enacted a law, A.B. 1678, requiring the disclosure of any knowledge of misused voter data to California officials. Currently, voter registration data — consisting of, among other things, names, birthdates and addresses — is typically made available to persons and groups intending to use the data for reporting, educational, and political applications. Any use of the voter data outside of these applications must now be made known to California officials. The new law also creates a misdemeanor offence for intentionally misinforming any voter regarding voting locations, times, and eligibility. Finally, the law establishes a new governmental office related to election cybersecurity and risk management, and dedicates $134 million for new voting equipment.
Electronic Contracting
Uber’s Arbitration Clause Is Unenforceable, Says First Circuit
By Prof. Juliet Moringiello, Widener University Commonwealth Law School
Courts have consistently held that contract terms delivered via websites will be enforced only if the terms were reasonably communicated and accepted. On a website, underlined blue font communicates a hyperlink. Does an app communicate terms differently? In Cullinane v. Uber Technologies, Inc., No. 16-2023 (1st Cir. June 25, 2018), the U.S. Court of Appeals for the First Circuit addressed that question. In holding that the Uber customer registration process did not reasonably communicate the existence of the Terms of Service containing an arbitration clause, the Court of Appeals included screenshots of the various steps in that registration process. Because the link to the Terms of Service did not have the common appearance of a hyperlink and was presented in a manner identical to or smaller than other terms, the First Circuit found that the arbitration clause was unenforceable.
Cybersecurity
Sixth Circuit Orders Insurer to Honor Cyber-Scam Injury Claim
By Joel Glazer, Temple University Beasley School of Law
The U.S. Court of Appeals for the Sixth Circuit granted summary judgment ordering an insurer to cover the insured’s computer-fraud claim after an imposter intercepted an email to a frequent vendor and changed the wiring instructions for the insured’s payments to the vendor. Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., No. 17-2014 (6th Cir. July 13, 2018). Under the terms of the policy, a claim for computer fraud required a “direct loss” of money “directly caused by computer fraud.” The court found that American Tooling Center (“ATC”) had suffered a “direct loss,” defining “direct” as the controlling Michigan court had, because ATC’s loss was “immediate” or “proximate” when it paid money to the impersonator with no “intervening event.” The actions of the impersonator constituted “computer fraud,” because the emails were fraudulent — i.e., the fraud occurred because the actions through the computer were illegitimate. The court also found that the loss was “directly caused by the computer fraud,” because the fraudulent email was immediately followed by ATC transferring money to the imposter and, again, no intervening events arose. Finally, the court found that no exclusions to the Policy applied. The court therefore granted summary judgement for ATC, ordering Travelers to honor ATC’s claim for computer fraud.