January 31, 2020

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut, Alan S. Wernick


FTC Issues “New and Improved” Data-Security Orders

By Tim Wolfe, University of Washington School of Law

The FTC has made “significant improvements” to its data-security orders, according to a January 2020 blog post. The changes follow FTC Hearing #9: Data Security in December 2018, which addressed possible improvements to the FTC’s data-security orders, and the 11th Circuit’s 2018 decision in LabMD v. Federal Trade Commission, which found an FTC-proposed order was unenforceable for its “indeterminable standard of reasonableness.” The FTC referenced seven orders announced in 2019 that reflect these changes: ClixSense, i-Dressup, DealerBuilt, D-Link, Equifax, Retina-X, and Infotrax.

The orders move away from a reasonableness standard and provide specific procedures the companies must put into place to maintain compliance. They also increase third-party assessor accountability by mandating that assessors identify and disclose to the FTC specific evidence to support their findings. The FTC is granted the authority to approve and re-approve assessors every two years, with the ability to withhold approval and force the companies to hire a different assessor. Finally, the governing body of the companies must be presented with and approve a written information-security program every year. By requiring the approval of senior management under oath, the FTC expects “better year-round governance and controls.”

OCIE Releases Cybersecurity Observations

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP

The Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission recently published Cybersecurity and Resiliency Observations. The publication notes that the OCIE has seen a variety of practices and approaches for addressing cybersecurity based on its examinations of thousands of different types of SEC registrants. While not an official rule or statement of the SEC, the observations are intended to “assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.” The brochure discusses observations concerning topics like governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and security-awareness training.

Maryland Court Requires Insurer to Cover Ransomware Losses

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP

The U.S. District Court for The District of Maryland recently held that an insurance company had to cover losses that an embroidery and screen-printing business suffered from a 2016 ransomware attack.  National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Co., No. SAG-18-2138 (D. Md. Jan. 23, 2020).

The attack left National Ink and Stitch, LLC, unable to access certain software, even after paying the demanded ransom.  The company had to replace and reinstall its software, and add protective software that caused its system to run slowly. 

State Auto Property and Casualty Insurance company denied coverage for the costs to replace National Ink’s entire computer system, on the grounds that the company suffered loss only to intangible data and not a physical loss of the system. The court disagreed, finding that the policy covered  a loss of data and software. Alternatively, the court held that National Stitch could recover for the impaired functionality of its computer system, because nothing in the policy required a complete disability for coverage. Accordingly, the court granted summary judgment on liability in favor of National Stitch and denied the insurer’s competing motion.

Electronic Contracting

Pennsylvania Court Rejects Uber’s Bid to Enforce Arbitration Terms

By John E. Ottaviani, Partridge Snow & Hahn LLP

A Pennsylvania state court recently found that Uber failed to enter into an enforceable agreement with a user, either when she initially signed up for the ride-share service on her mobile phone, or when Uber tried to subsequently update the terms. The case illustrates the dangers in not having a sign-up process that obtains explicit consent, and in trying to modify terms and conditions without obtaining explicit consent.

In Kemenosh v. Uber Technologies, Inc., No. 181102703 (C.P. Phila. Co. Jan. 3, 2020), the plaintiff alleged that she suffered severe personal injuries when her Uber driver ran a red light and crashed into another vehicle. Uber moved to compel arbitration, based on both an arbitration clause in its terms and conditions when the plaintiff created her account and on subsequent modifications to those terms purportedly sent by email several years later.

After reviewing screenshots of the sign-up process when the plaintiff created her account, the court found that the screens did not properly communicate an offer to arbitrate under Pennsylvania law.  In doing so, the decision rejected the “conspicuous” standard used by the First Circuit in Cullinane v. Uber Techs., Inc., 893 F.3d 53 (1st Cir. 2018) and by the Second Circuit in Meyer v. Uber Techs., Inc., 868 F.3d 66 (2d Cir. 2017) because that analysis previously had been rejected by the Pennsylvania Supreme Court.  The sign-up process used the words “by creating an Uber account you are agreeing to the Terms of Service and Privacy Policy,” where the words “Terms of Service and Privacy Policy” had a hyperlink that would display the terms of service (including an arbitration clause) when clicked.  However, Uber’s sign up process did not contain a “check-box” to confirm that the user had read the terms and conditions, did not require the user to click on the hyperlink to complete the registration process, did not use the typical blue underlined text for the hyperlink, and did not even suggest that the user read the terms.  The court felt that the words “by creating an Uber account you are agreeing to the Terms of Service and Privacy Policy” only conveyed the message that by creating an Uber account, one is agreeing to pay money in exchange for transportation, and to the terms of a privacy policy.  Under Pennsylvania law, the deficiency in Uber’s registration process was not the inconspicuousness of the arbitration provision, but rather Uber’s failure to adequately communicate an offer to arbitrate in a definite manner, to create a meeting of the minds.

Similarly, the court rejected Uber’s argument that its subsequent attempt to update its terms created a binding agreement to arbitrate.  Several years later, Uber sent an email which linked to new “U.S. Terms of Use,” which also contained an arbitration clause.  The email stated that Uber had revised its arbitration agreement and advised that “[i]f you use our app or other services … you’re confirming you’ve read and agree to the updated terms.”  The court found there was a significant factual dispute about whether the plaintiff received the email, such that Uber had failed to prove that the email constituted an offer to arbitrate.


E-Commerce Sales Hit Record High, Jump Nearly 19% During 2019 Holiday Season

By John E. Ottaviani, Partridge Snow & Hahn LLP

Despite a shorter holiday season, U.S. shoppers spent 3.4% more this holiday season than in 2018, according to a survey by Mastercard SpendingPulse.  But online sales during this period jumped 18.8%, a record high, exceeding the 18.4% increase the year before.

The survey, which measured shopping from November 1 through December 24, 2019, demonstrates the continuing change in how U.S. consumers shop.  Online shopping sales made up 14.6% of total retail spending during the 2019 holiday period.   In contrast, the SpendingPulse survey found a 1.8% decline in sales at brick and mortar department stores.  In addition, the online sales of those stores only grew 6.9 percent over the prior holiday season.

Other facts and figures from the SpendingPulse report show the increasing importance of online sales and omni-channel offerings:

  • Two days—Black Friday (15.4%) and Cyber Monday (24.5%)—accounted for nearly 40% of overall retail spending during the holiday season.
  • Sales of apparel increased 1% overall, but online sales of apparel increased 17% compared to 2018.
  • Similarly, jewelry sales grew 1.8% overall, but online sales grew 8.8% over the prior year

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.

Alan S. Wernick

Founder, Wernick & Associates, Ltd.

Contributing Editor, Internet Law and Cybersecurity. Attorney in private practice and licensed in IL, NY, OH, and DC, plus several federal district courts and federal appellate courts. With his multidisciplinary background and experience in law, technology, and accounting, Alan helps clients find innovative solutions to achieving their business objectives and managing their legal risks. Experience and leadership roles include (1) private practice of law in Information Technology, Intellectual Property (copyrights, trademarks, trade secrets, licensing), Privacy Law, Cybersecurity Law, and Alternative Dispute Resolution; (2) partnership in large law firms and experience as an in-house general counsel; (3) handling of numerous large complex technology transactions; (4) strategic innovative counseling of clients regarding management of their technology and Intellectual Property assets, privacy law compliance, and data breach remediation; and (5) dispute resolution including litigation, appeals, and ADR. A partial listing of client projects handled by Alan is available at WWW.WERNICK.COM. Recognition by peers includes: Martindale AV rated attorney; Leading Lawyer in Computer & Technology Law; International Who’s Who of Internet & E-Commerce Lawyers; Who’s Who Legal: Information Technology, Data Privacy and Protection, Data Security. Alan is a prolific writer and speaker. Information about Alan’s practice, publications, & lectures is available at WWW.WERNICK.COM or his LinkedIn profile at www.linkedin.com/in/alanwernick.