Maine Enacts Insurance Data Security Act
By Roxanne Eastes, Young Conaway Stargatt & Taylor, LLP
On March 17, 2021, the Governor of Maine signed a new data protection law that goes into effect on January 1, 2022. The Maine Insurance Data Security Act establishes standards for insurance data security, but does not create or curtail any private causes of action that exist in the absence of the law.
Under this statute, Maine insurance carriers have certain requirements for the investigation and notification to consumers of “cyber security events” such as information leaks. The insurance carriers are also required to implement a written information security program that must be designed to:
A. Protect the security and confidentiality of nonpublic information and the security of the insurance carrier’s information systems;
B. Protect against reasonably foreseeable threats or hazards to the security or integrity of nonpublic information and the insurance carrier's information systems;
C. Protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to any consumer; and
D. Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when it is no longer needed.
Supreme Court Rejects Alleged Violation of the TCPA
By Reuben G. Gottlieb, Young Conaway Stargatt & Taylor, LLP
The U.S. Supreme Court recently rejected claims that Facebook violated the Telephone Consumer Protection Act of 1991 (“TCPA”), holding that that an autodialer under must have the capability to use a random or sequential number generator to cache or generate phone numbers. Facebook, Inc. v. Duguid et al., 141 S.Ct. 1163 (2021). Reversing the Ninth Circuit, the Court deduced that it is insufficient for an autodialer to have the capability to store numbers and dial them automatically.
The allegations made against Facebook maintained that it violated the TCPA by sending targeted, individualized text messages to numbers associated with the social media platform’s accounts. However, the Court maintained that because Facebook’s notification system could not store and produce numbers “using a random or sequential number generator,” it did not qualify as an autodialer under the TCPA.
Are Websites Places of “Public Accommodation” for Purposes of the ADA? The Eleventh Circuit Says “No”
By John E Ottaviani, Partridge Snow & Hahn LLP
Does a website constitute a place of “public accommodation” for purposes of the American Disabilities Act? In Gil v Winn-Dixie Stores, Inc., No. 17-13467 (11th Cir. April 7, 2021), in a 2-1 decision, the Eleventh Circuit Court of Appeals said “No.”
The case involved an individual with a visual impairment, who claimed that his screen reader software did not work with the functionality to refill prescriptions on Winn-Dixie’s website. The plaintiff sued the Winn-Dixie grocery chain for violating Title III of the American With Disabilities Act (ADA). Winn-Dixie admitted that the ADA applies to its physical grocery stores, but argued that the website was not a place of “public accommodation” subject to the ADA. After trial, the district court entered judgment in favor of the plaintiff.
On appeal, the Eleventh Circuit noted that there is a split of authority on the issue, with the 1st and 7th Circuits finding that a website is a place of “public accommodation,” and the 3rd, 6th and 9th Circuits holding that a website is not covered by the ADA. The opinion then reviewed the language of the ADA and concluded that the definition of “public accommodation” in the ADA only covers tangible, physical locations, such that the plaintiff’s inability to communicate with the website itself was not a violation of the ADA.
The Eleventh Circuit then addressed the plaintiff’s claim that the ADA also forbids intangible barriers that prevent an individual from enjoying the goods and services of a place of public accommodation. The court again rejected the argument, concluding that, because Winn-Dixie made no sales through the website, the plaintiff was not impeded access to the goods and services offered by the physical stores.
The split among the Circuits makes it difficult for practitioners to provide clear advice to companies that operate physical locations in multiple jurisdictions. Congressional action, or a decision from the Supreme Court, may be the only way that the situation can be clarified.
Massachusetts High Court Denies Facebook’s Assertion of Attorney-Client Privilege and Work Product Doctrine
By Reuben G. Gottlieb, Young Conaway Stargatt & Taylor, LLP
The Massachusetts Supreme Judicial Court ruled that while several of the Attorney General’s targeted requests to Facebook were protected by attorney-client privilege, many communications were not protected because attorney-client privilege does not protect underlying facts. Attorney General v. Facebook, Inc., 164 N.E.3d 873 (Mass. 2021). Reacting to the Cambridge Analytica scandal, Facebook engaged in an internal investigation to evaluate potential resulting legal liabilities. The Attorney General would later demand that the social media platform provide the identities of applications and developers that it reviewed. Facebook maintained that its investigation had been protected by both attorney-client privilege and work product doctrine.
In rejecting Facebook’s assertions, the court noted that the underlying data breaches of individual applications were independently discoverable and not protected by Facebook’s own factual investigation. The court emphasized that attorney-client privilege only protects communications between an attorney and its client, and not the facts themselves. Additionally, the court remanded the work product issue as it could not conclude whether information requested fell into the category of opinion work product. Such a remand will require a lower court to examine the specific requirements of each request and determine what information may be revealed.