August 01, 2019

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut, Alan S. Wernick

Data Privacy

Facebook and FTC Agree to Settle Privacy Probe Claims

By Tom Kierner, Womble Bond Dickinson (US) LLP

On July 24, 2019, Facebook executed a settlement with the Federal Trade Commission (“FTC”) to pay a $5 billion penalty and accept new privacy obligations and tools for the FTC to monitor compliance. Depending on which FTC Commissioner you listen to, the settlement either (i) far exceeds what could be achieved in litigation or (ii) falls far short of what the FTC could reasonably seek merely from the forfeiture of Facebook’s unjust gains.

If approved by the court, the settlement will resolve claims that Facebook violated a 2012 FTC Consent Order (the “2012 Order”) as well as new claims of unfair and deceptive acts or practices. That 2012 Order, among other things, prohibited Facebook from misrepresenting the extent to which Facebook makes user information accessible to third parties.

In its 2019 complaint against Facebook, the FTC alleged several instances where Facebook failed to comply with its 2012 Order obligations. For instance, in 2014, Facebook CEO Mark Zuckerberg publicly announced that Facebook would stop allowing third-party developers to collect data about users’ Facebook friends. However, Facebook had secret arrangements with dozens of developers that allowed those developers to continue to harvest that data until June 2018.

In addition to the eye-popping monetary penalty, Facebook has agreed to several adjustments to its conduct, including significant changes to its corporate governance that aims to limit Mark Zuckerberg’s authority over privacy decisions and increase accountability and transparency.

Vermont Recognizes Private Right of Action for Disclosure of Medical Information

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP

The Vermont Supreme Court has recognized that the common-law provides a private right of action for damages where medical personnel disclose information to a third party without justification.  In Lawson v. Halpern-Reiss, No. 2018 – 157 (Vt. May 17, 2019), the plaintiff sued the Central Vermont Medical Center after a nurse informed a police officer that she was intoxicated, had driven herself to the hospital and was about to drive herself home. Plaintiff was arrested but charges against her were later dropped. The Supreme Court affirmed the trial court in finding that the common law recognized a private right of action based on the unjustified disclosure of information obtained by a medical provider during treatment. 

The court found that state law already endorsed a duty of confidentiality between medical providers and patients so recognizing the common law remedy upheld the expectations of the providers, patients and the public. Because the legislature essentially codified the requirements of the federal Health Information Portability and Accountability Act law into state law, the HIPAA statute and regulations inform the standard of care and exceptions with respect to the duty of confidentiality. HIPAA provides an exception allowing disclosure of information to avert a serious threat to health or safety. The court held that the plaintiff failed to rebut the presumption of good faith that the disclosure was necessary to protect the safety of plaintiff and the public. Accordingly, the court affirmed summary judgment in favor of the medical center.

Digital Currency

Congress Holds Hearings on Libra, Facebook’s Proposed Digital Currency

By Stephen T. Middlebrook, Womble Bond Dickinson

On July 16, 2019, the Senate Banking Committee held a hearing on data privacy and other concerns raised by Facebook’s proposed digital currency known as Libra.  The sole witness was David Marcus, Head of Calibra, a Facebook subsidiary which will provide financial services on the Libra blockchain.  Mr Marcus also testified the following day at hearings convened by the House Financial Services Committee.  At the House hearings, Mr. Marcus was joined by law professors Chris Brummer and Katharina Pistor as well as former Treasury official and current MIT professor Gary Gensler.  At those hearings, House Democrats unveiled a draft of the Keep Big Tech Out of Finance Act which would prohibit Facebook from issuing a digital asset or virtual currency.

DOJ Charges Head of Bitcoin Escrow Company with Commodities Fraud

By Stephen T. Middlebrook, Womble Bond Dickinson

The Department of Justice has charged Jon Barry Thompson, principal of Volatnis Escrow Platform, with commodities fraud and wire fraud.  The government alleges Thompson convinced two companies to wire him millions of dollars which he was to hold in escrow to facilitate the purchase of bitcoin.  No cryptocurrency was actually purchased or transferred and Thompson made off with the money.

FEC Approves Distribution of Tokens to Campaign Volunteers

By Stephen T. Middlebrook, Womble Bond Dickinson

The Federal Election Commission issued an advisory opinion approving a political campaign’s distribution of digitial blockchain tokens with no monetary value to campaign volunteers as an incentive to engage in volunteer activities.  Volunteers received the tokens for registering to vote, hosting events and doing other things to support the campaign.  The tokens cannot be bought or sold or used to obtain goods or services.  At the end of the campaign, the three volunteers with the most tokens will receive prizes and participants may keep their tokens as souvenirs.  The FEC concluded the tokens did not constitute compensation to volunteers which would be prohibited under applicable law but rather were indistinguishable from traditional forms of campaign souvenirs which are allowed.


CDA Immunizes ISPs for Publishing False Info Provided by Third Parties

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP

The U.S. District Court for the District of Columbia has recently held that internet service providers are protected by the Communications Decency Act against claims for publishing content provided by third parties. In Marshall’s Locksmith Service, Inc., v. Google, LLC, No. 18 – 7018 (D.C. June 7, 2019), fourteen locksmith businesses sued Google, Microsoft, and Yahoo! challenging their search engine practices that allegedly permitted “scam” locksmiths to appear as local businesses to induce legitimate businesses to pay for advertised search results to combat the false information put forth by the scam companies.  The plaintiffs argued the search engines published content that boosted the scam locksmith search results, knowing that some of it was false. 

The District Court granted the defendants’ motion to dismiss all counts other than breach-of-contract as barred under the Communications Decency Act, which insulates online providers from liability for third party content they publish. The Court of Appeals affirmed, finding the challenged content published by defendants was protected under the Act. The Court noted that immunity under the Act “is not limitless” and would not protect information fabricated by the search engines based on the content provided to them.

International Law

British Airways: Large GDPR Fines Now a Reality in the UK

By Valerie Surgenor, MacRoberts

On July 8, 2019, the Information Commissioner’s Office (the ICO) issued notice of its intention to serve a penalty notice (a fine) on British Airways (BA). The ICO intend to fine BA £183.39 million following last year’s personal data breach where “a variety of information was compromised by poor security arrangements” led to log-in, payment card and travel booking details as well as name and address information of 429,000 online customers being exposed. The fine of £183.39 million is the largest penalty ever issued by the ICO and is the first UK GDPR fine. The penalty amounts to 1.5% of BA’s worldwide annual turnover in 2017, less than the maximum penalty of 4%.

ICO's Second GDPR Fine in as Many Days Highlights Importance of Due Diligence in Acquisitions

By Valerie Surgenor, MacRoberts

On July 8, hot on the heels of the proposed British Airways fine, the ICO issued notice of its intention to serve a penalty notice (a fine) on Marriott International Inc (Marriott). The ICO intends to fine Marriott £99,200,396 following last year’s personal data breach whereby the data of around 339 million guests globally was exposed, with around 30 million records relating to residents of the European Economic Area, approximately seven million of which related to UK residents. Whilst Marriott did co-operate with the ICO throughout the investigation and has since taken steps to improve the security of their systems, the ICO found that Marriott did not undertake satisfactory due diligence when it acquired Starwood as this should have been uncovered in the acquisition process; and Marriott should have had more robust security measures in place to ensure the security of the systems.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.

Alan S. Wernick

Founde; Wernick & Associates, Ltd.

Contributing Editor, Internet Law and Cybersecurity. Attorney in private practice and licensed in IL, NY, OH, and DC, plus several federal district courts and federal appellate courts. With his multidisciplinary background and experience in law, technology, and accounting, Alan helps clients find innovative solutions to achieving their business objectives and managing their legal risks. Experience and leadership roles include (1) private practice of law in Information Technology, Intellectual Property (copyrights, trademarks, trade secrets, licensing), Privacy Law, Cybersecurity Law, and Alternative Dispute Resolution; (2) partnership in large law firms and experience as an in-house general counsel; (3) handling of numerous large complex technology transactions; (4) strategic innovative counseling of clients regarding management of their technology and Intellectual Property assets, privacy law compliance, and data breach remediation; and (5) dispute resolution including litigation, appeals, and ADR. A partial listing of client projects handled by Alan is available at WWW.WERNICK.COM. Recognition by peers includes: Martindale AV rated attorney; Leading Lawyer in Computer & Technology Law; International Who’s Who of Internet & E-Commerce Lawyers; Who’s Who Legal: Information Technology, Data Privacy and Protection, Data Security. Alan is a prolific writer and speaker. Information about Alan’s practice, publications, & lectures is available at WWW.WERNICK.COM or his LinkedIn profile at