September 02, 2020

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Data Privacy

Eighth Circuit Finds Qualified Immunity Protects Officers From Privacy Violations

By Nehama Hanoch, The George Washington University Law School

In a case involving members of the reality-television family the Duggars, the Eighth Circuit recently held en banc that officers may be protected under qualified immunity against allegations of violations of the constitutional right to privacy because the Fourteenth Amendment right to privacy has not been clearly established by the Supreme Court. Dillard v. O'Kelley, 961 F.3d 1048 (8th Cir. 2020)

The issue in the interlocutory appeal was whether the individual defendants, employees of the City of Springdale Police Department and the Washington County Sheriff’s Office, were entitled to qualified immunity after they released redacted copies of reports relating to a 2006 sexual misconduct investigation in response to a tabloid’s FOIA request.  The redactions did not prevent the public from identifying the plaintiffs in this case, who were minors at the time. The plaintiffs, child television stars in Arkansas, asserted claims under 42 U.S.C. § 1983.

The first panel affirmed the district court’s denial of the defendant’s motion to dismiss the § 1983 claims based on qualified immunity, and the en banc court reversed. On a motion to dismiss based on qualified immunity, a plaintiff must show that they plead particularized facts showing 1) that the official violated a statutory or constitutional right, and 2) that at the time of the challenged conduct, this right was clearly established.  In qualified immunity cases, the court looks for existing precedent that places the statutory or constitutional issue beyond debate. 

In this case, the court considered whether the defendants violated a clearly established right.  While the Supreme Court has assumed a Fourteenth Amendment right to privacy exists, it has never been found to be violated.  Writing for a split court, Circuit Judge Loken concluded that the judicial uncertainty surrounding the status of a constitutional right to privacy indicates that this is not a clearly established right, and therefore, the defendants are entitled to qualified immunity.

A concurring opinion remarked that “[t]he constitutional right to informational privacy is dead” and that privacy protections now lies in the hands of state legislatures.  The concurrence disagreed with the majority opinion that a right may not be clearly established in the absence of definitive Supreme Court precedent for qualified immunity cases where the right has been established in circuit precedent.

A partial dissent remarked that the plaintiffs’ clearly established right to privacy was violated because the plaintiffs had been promised that their interviews with the police department, which provided intimate details of sexual abuse at the hands of their brother, would remain confidential.  Given the well-supported and repeated circuit precedent on the constitutional right to privacy, the defendants were on fair notice that public disclosure of such “highly personal matters” was a violation of that right. 

Vermont Enacts Data Breach and Student Data Privacy Laws

By Shaked Barkay, University of Pennsylvania Law School

On July 1, 2020, Vermont’s new Student Data Privacy law and amendments to Vermont’s Security Breach Notice Act, both aimed at strengthening data protection, went into effect.

In addition to requiring several disclosure and security practices, Vermont’s Student Data Privacy law prohibits “operators” of websites, services or applications aimed at Pre-K-12 schools from knowingly:

  • Engaging in targeted advertising based on information that the operator possesses because of scholastic use of its site, service or application;
  • Using information obtained through the operator’s site, service or application to create a profile about a student, except for scholastic purposes;
  • Selling, bartering or renting a student’s information; and
  • Disclosing certain “covered” information, unless such disclosure is provided for in the law.

The amendments to the Security Breach Notice Act:

  • Expanded the definition of Personally Identifiable Information (“PII”) to include, when in combination with an individual’s first name/initial and last name:
    • Identification numbers originating from government identification documents that are commonly used for identity verification (e.g., passport number);
    • Unique biometric data (e.g., fingerprints);
    • Genetic information; and
    • Health records.
  • Expanded the definition of a breach to include, in addition to PII, login credentials, which were defined as a combination of a consumer’s username/email address and password/security question answer that could together allow access to the consumer’s account.
  • Permits substitute notice where the cost of direct notice exceeds $10,000, or where the data collector does not have sufficient contact information.

The Vermont Attorney General has issued guidance on complying with the amended data breach notification law.

E-Commerce

Court Finds CDA Narrow Exclusion Only Applies to Federal Intellectual Property Claims

By Emily Fulginiti, Georgetown University Law Center

The U.S. District Court for the Eastern District of Pennsylvania recently granted certain social media sites’ (Facebook, Reddit, Imgur) motions to dismiss the claims of a local media personality for “unlawful dissemination and publication of [plaintiff’s] image” and violating plaintiff’s “common law and statutory right of publicity.” Hepp v. Facebook, Inc. et. al., No. 19-4034-JMY (E.D. Pa. June 5, 2020). Plaintiff Karen Hepp, a newscaster for the Philadelphia-based Fox-29 news crew, alleged the social media sites used her image in advertisements for erectile dysfunction treatment and online dating services. The defendants filed motions to dismiss asserting immunity under the Communications Decency Act (“CDA”). The plaintiff alleged that her claims were protected under the carve-out in the CDA allowing website operators to face intellectual property claims.

The court noted that the case presented an issue not yet decided by the Third Circuit—“whether CDA immunity extends to cases alleging infringement by an internet service provider in violation of the various and differing state right of publicity laws.” The CDA states that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider,” and preempts any state law to the contrary. 47 U.S.C. § 230(c)(1), (e)(3).

Recognizing a disagreement between the Ninth Circuit and some district courts as to whether the CDA preempts state law intellectual property claims, the court referred to the Ninth Circuit’s decision in Perfect 10 Inc. v. CCBill, LLC, which held that the CDA’s exclusion for “any law pertaining to Intellectual property” needed to be interpreted narrowly (to federal intellectual property claims) to comply with the statute’s objective of immunizing hosts of third-party content.

Supreme Court Upholds Ban on Robocalls, Severs Government Debt Exception

By Shannon Quinn, American University Washington College of Law

On July 6, 2020, the Supreme Court upheld a ban prohibiting robocalls to cellphones but struck down a 2015 amendment to the law exempting calls made to collect on debts owed to the federal government. In Barr v. American Association of Political Consultants, Justice Kavanaugh wrote for a divided Court, indicating that while the government debt exception did not pass muster under the First Amendment because it amounted to content-based discrimination, the offending provision could be severed, leaving a bulk of the Telephone Consumer Protection Act of 1991 intact.

The American Association of Political Consultants filed a declaratory judgment action against the U.S. Attorney General and the Federal Communications Commission (FCC) in 2016. The Association sought a determination that allowing the government to make debt collection calls while simultaneously restricting the group’s ability to make political calls violated the First Amendment. While the U.S. District Court for the Eastern District of North Carolina concluded that the debt exception survived a strict scrutiny analysis, the Fourth Circuit Court of Appeals vacated the judgment. The Fourth Circuit’s ruling was ultimately upheld by the Supreme Court, which decided that while the government does have an interest in debt collection, that interest does not outweigh the First Amendment’s protection against content-based discrimination. In contrast, the Court held that Congress maintains a compelling interest in protecting consumer privacy, justifying the blanket ban on robocalls of any kind. 

“Americans passionately disagree about many things,” wrote Justice Kavanaugh. “But they are largely united in their disdain for robocalls.” The opinion notes that the federal government received 3.7 million complaints about robocalls in 2019 alone.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.