April 02, 2019

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut, Alan S. Wernick

Digital Currency

Colorado Case Shows Challenges in Establishing Jurisdiction over a Digital Currency Exchange

By William R. Denny, Potter Anderson & Corroon LLP

The recent case of Shaw v. Vircurex, Civ. No. 18-cv-00067-PAB-SKC (D. Col., Feb. 20, 2019), underscores the difficulty of pursuing claims against decentralized exchanges that operate based on algorithmic programming, do not engage in traditional marketing activities and have no traditional physical presence. Shaw arose from the collapse of an online digital currency exchange. Participants used the exchange to buy, sell and trade digital currencies. One participant, Timothy Shaw, lost his money when the exchange shut down, and filed a class action lawsuit in Colorado against the exchange and its operators. Neither the exchange nor any of the other named defendants responded to Shaw’s complaint, so the clerk entered a default against the defendants and Shaw moved the court to enforce the default judgment.

The court, on its own initiative, considered whether the exercise of personal jurisdiction over the defendants offended fundamental due process. Because there was no general jurisdiction over the defendants, the court examined whether there was special jurisdiction, meaning that the lawsuit arose out of the defendants’ contacts with the forum. It held that specific jurisdiction only existed if (1) the defendant purposefully directed its activities giving rise to the claim at residents of the forum, and (2) exercise of personal jurisdiction did not offend traditional notions of fair play and substantial justice.

The three different ways to show that the defendant purposefully directed its activities at residents of the forum were (a) whether the defendants established a continuing relationship with the forum state plaintiff, (b) whether the defendant engaged in a continuous and deliberate exploitation of the forum state market, or (c) whether the defendants’ intentional conduct targeted and had harmful effect in the forum state. The court held that the plaintiff’s creation of an online account with the exchange was insufficient, standing alone, to establish any of the three purposeful direction frameworks, and so dismissed the case for lack of personal jurisdiction.

Data Security

FTC Shares Report Of Privacy and Data Security Activity in 2018

By Antonia Dumas, XPAN Law Group, LLC

In March 2019, the Federal Trade Commission (“FTC”) released its 2018 Privacy and Data Security Update, an annual report summarizing its role and activity as the nation’s primary privacy and data security enforcer. The Update highlights seven focus areas: enforcement, advocacy, rules, workshops, reports and surveys, consumer education and business guidance and international engagement.

In 2018, the FTC exercised enforcement actions on key issues including misleading and inadequate privacy and security safeguards (Venmo and VTech Electronics Limited), unauthorized disclosure to third parties (BLU Products, Inc., copycat military sites, and Facebook), and other areas including identity theft, credit reporting and financial privacy, children’s privacy and do not call. Settlements with VTech Electronics Limited and BLU Products, Inc. required the entities to implement comprehensive security programs and undergo biennial auditing of their programs by a third party for 20 years.

The FTC’s advocacy activities included comments issued on the risks of poor security in Internet of Things devices and the importance of companies making accurate privacy disclosures, as well as testimony given to committees of the Senate and House regarding potential federal data privacy legislation.


FTC Proposes New Cybersecurity Requirements for Financial Institutions Over Two Commissioners’ Objection

Eric Mogilnicki and Sam Adriance, Covington & Burling LLP

On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”). Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data. In addition, the FTC is proposing technical and clarifying amendments to the GLBA Privacy Rule.

The proposed revisions to the Safeguards Rule, which include mandating encryption and two-factor authentication, represent a substantial change in the cybersecurity regime applicable to financial institutions subject to FTC jurisdiction. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, explained that the purpose of the proposal is “to better protect consumers and provide more certainty for business.” However, this view has proven controversial, with two Republican commissioners issuing a dissenting statement arguing that the proposed approach “trades flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.”

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.

Alan S. Wernick

Founder, Wernick & Associates, Ltd.

Contributing Editor, Internet Law and Cybersecurity. Attorney in private practice and licensed in IL, NY, OH, and DC, plus several federal district courts and federal appellate courts. With his multidisciplinary background and experience in law, technology, and accounting, Alan helps clients find innovative solutions to achieving their business objectives and managing their legal risks. Experience and leadership roles include (1) private practice of law in Information Technology, Intellectual Property (copyrights, trademarks, trade secrets, licensing), Privacy Law, Cybersecurity Law, and Alternative Dispute Resolution; (2) partnership in large law firms and experience as an in-house general counsel; (3) handling of numerous large complex technology transactions; (4) strategic innovative counseling of clients regarding management of their technology and Intellectual Property assets, privacy law compliance, and data breach remediation; and (5) dispute resolution including litigation, appeals, and ADR. A partial listing of client projects handled by Alan is available at WWW.WERNICK.COM. Recognition by peers includes: Martindale AV rated attorney; Leading Lawyer in Computer & Technology Law; International Who’s Who of Internet & E-Commerce Lawyers; Who’s Who Legal: Information Technology, Data Privacy and Protection, Data Security. Alan is a prolific writer and speaker. Information about Alan’s practice, publications, & lectures is available at WWW.WERNICK.COM or his LinkedIn profile at www.linkedin.com/in/alanwernick.