July 03, 2020

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Cybersecurity

Law Firm Faces Counterclaim in ERISA Case due to Work from Home and Personal Email Policies

By Jessica Poggi, Duke University School of Law

A Pennsylvania law firm is facing a claim that its lax security procedures contributed to the theft of $400,000 worth of 401(k) funds from the firm’s retirement accounts. Leventhal v. MandMarblestone, Grp., C.A. No. 18-cv-2727 (E.D. Pa. May. 27, 2020).  According to the pleadings, criminals were able to gain access to the funds by obtaining a copy of an employee’s withdrawal receipt. The criminals then used the information to remove the entirety of the funds in the employee’s account.

The firm, Leventhal Sutton & Gornstein, sued the third-party administrator of the account, alleging that the administrator breached its fiduciary duty by allowing the criminals to access the funds. The administrator then filed a counterclaim against the firm, asserting that by allowing employees to work from home and use their personal emails for business, the firm created a cyber-security risk. The administrator further alleges that the risk constitutes a breach of the firm’s duty as a co-fiduciary under the Employee Retirement Income Security Act. U.S. District Judge Mitchell S. Goldberg allowed the counterclaim to move forward, noting that ERISA allows for claims of contribution and indemnity.

Data Privacy

Airbnb & NYC Settle Customer Data Suit

By Shannon A. Quinn, American University Washington College of Law

On June 12, 2020, the New York City government and Airbnb agreed to settle a lawsuit attacking the constitutionality of a local ordinance that compelled short-term rental companies to release customer data. The agreement stipulates that the city will revise the ordinance and require companies to report quarterly-only relevant booking and property information to the city, providing for increased confidentiality of personal information.

Airbnb filed suit in 2018 after the city passed Local Law 146 requiring short-term rental companies to frequently release data, including customer names, addresses, telephone numbers, and banking information in an effort to control affordable housing. The U.S. District Court for the Southern District of New York granted a preliminary injunction in early 2019, with the judge ruling that the ordinance violated the Fourth Amendment and equivalent provisions in the New York Constitution by compelling the companies to turn over sensitive data. Airbnb agreed drop the challenge after passage of the new law. The revised legislation will take effect 180 days after it is passed.

New Jersey Supreme Court Dismisses Restroom Camera Privacy Case for Lack of Evidence

By Sarah Hand, Temple University Beasley School of Law

On June 16, 2020, the Supreme Court of New Jersey reversed an appeals court decision and found that the trial court had properly granted summary judgment against a group of plaintiffs in in Friedman v. Martinez, No. 081093 (N.J. June 16, 2020) regarding their invasion of privacy claim. Approximately sixty women filed the case in 2011 after discovering that a janitor had placed video-recording devices in the restrooms and locker room of their office building for several months. The trial court dismissed a group of plaintiffs that had been unable to identify themselves on the recovered video footage. On appeal, the issue presented was whether simply putting a recording device in a private space, without providing proof of an actual recording, is sufficient to establish an invasion of privacy claim.

Answering that question in the affirmative, the court held that an intrusion on privacy occurs when an individual uses a private space in which a spying device has been hidden and “the intrusion would be highly offensive to a reasonable person.” Restatement (Second) of Torts § 652B (Am. Law Inst. 1977). Victims are not required to present direct evidence that they were secretly recorded; a case of intrusion upon seclusion can be established based on circumstantial evidence and any reasonable inferences that the court could draw from the proof presented. For example, the Supreme Court noted, “[a] court could reasonably infer that someone who worked in the vicinity of a bathroom around the same time a camera was hidden there met that standard.” In this case, however, the court found that the summary judgment record could not support an inference that the previously dismissed plaintiffs used the bathrooms while the cameras were present during the relevant time.

Photographs: No Permission, No Problem in Tennessee

By Edwin León, Widener University Delaware Law School

David Lambert of Kingsport, Tenn., had charges of unlawful photographing, T.C.A. § 39-13-605(a)-(c) (2014), dismissed after three appeals court judges ruled that there is no expectation of privacy in public places. State v. Lambert, No. E2018-02296-CCA-R3-CD, 2020 Tenn. Crim. App. LEXIS 303 (Crim. App. Apr. 28, 2020).

Lambert was charged after he was found to have taken “close-up” images of woman in stores around Tenn., for sexual gratification. Lambert argued that because the stores were public places the persons did not have an expectation of privacy and therefore, he did not commit a crime.

The court agreed, citing Katz v. United States, 389 U.S. 347, 351-52 (1967): “[w]hat a person knowingly exposes to the public, even in his own home or office,” is not covered by a reasonable expectation of privacy.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.