backFEATURED ARTICLES
U.S. Supreme Court Will Decide Privacy Breach Standing — On April 27, 2015, the U.S. Supreme Court granted certiorari in Spokeo Inc. v. Robins, Case Number 13-1339. The issue raised by the certiorari petition was whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm by authorizing a private right of action based on a bare violation of a federal statute.
The federal appellate courts are split on whether a plaintiff must allege actual injury and not just a violation of a federal statute in order to establish Article III standing. Article III of the Constitution mandates that plaintiffs in federal court claim harm in order to sue, but modern financial regulation and privacy issues have challenged this principle.
In Spokeo, the plaintiff claimed that he had suffered an actionable injury because the website provided prospective employers with inaccurate personal information about him and failed to exercise its responsibilities as a consumer reporting agency with fairness. According to plaintiff, the alleged misrepresentations violated the Fair Credit Reporting Act (“FCRA”), the basis of the plaintiff’s class action suit. Spokeo moved to dismiss for lack of standing, and the U.S. District Court for the Central District of California granted the motion. In dismissing the complaint, the district court held that Robins failed to allege an injury or actual harm and explained that allegations of possible future injury do not satisfy Article III standing requirements. On appeal, the U.S. Court of Appeals for the Ninth Circuit reversed, holding that plaintiff’s allegation of willful violations of the FCRA was sufficient to confer Article III standing because, according to the Ninth Circuit, the statutory cause of action does not require a showing of actual harm when the complaint alleges willful violations of the FCRA.
In its petition before the Supreme Court, Spokeo argued that the court should hear the case because the question of Article III jurisdiction has significant implications for class action litigation. In addition to the FCRA, Spokeo’s brief cited numerous other federal laws that include both private rights of action and statutory damages, including the Telephone Consumer Protection Act, Truth in Lending Act, Fair Debt Collection Practices Act and Electronic Funds Transfer Act. A decision in this case would also resolve similar issues presented under those federal statutes.
The Supreme Court’s resolution of this issue is likely to have a significant impact on the future viability of data breach and other privacy-related consumer class action cases, in which the complaints typically do not allege any actual harm. The text of the Ninth Circuit decision is available here.
Reporter, Ashley B. Guffey, Atlanta, +1 404 572 2763, aguffey@kslaw.com.
Secretary Of Homeland Security Seeks Cooperation Between Public And Private Sectors In Fight Against Cybercriminals — On April 21, 2015, Department of Homeland Security (“DHS”) Secretary Jeh Johnson spoke at the annual RSA Conference 2015. In his remarks, Johnson explained that, while the DHS was established primarily to focus on counter-terrorism, cybersecurity has emerged over time as an equal priority when it comes to national defense. Johnson called for greater partnership between government and the private sector to address cybersecurity threats. Johnson went to on to note that the development of greater data encryption poses significant challenges for law enforcement.
Johnson highlighted the priority placed by the Federal government – including the President, his administration, and the DHS – on cybersecurity issues. Central to the cybersecurity efforts of the DHS is the National Cybersecurity and Communications Integration Center (“NCCIC”), which Johnson described as serving as the government’s “central interface with the private sector in responding to and mitigating cyber threats.” In 2014, Johnson said that the NCCIC received over 97,000 cyber incident reports from the private and government sectors and issued nearly 12,000 cyber alerts and warnings. According to Johnson, the NCCIC is striving to provide near real-time automated information sharing to the private sector and recently deployed the capability to automate publication of cyber threat indicators to select companies and government agencies. He stated that later this year, the NCCIC hopes to begin to accept cyber threat indicators from the private sector in automated near real-time format.
Johnson’s remarks also addressed the limits of the government’s ability to investigate and prosecute cybersecurity incidents. According to Secretary Johnson: “Government does not have all the answers or all the talent. Cybersecurity must be a partnership between government and the private sector. We need each other, and we must work together.” Johnson identified increasing levels of data encryption as a significant roadblock to the government as it seeks to detect and prosecute criminal, and specifically, terrorist activity. He commented that “[o]ur inability to access encrypted information poses public safety challenges” and that the impact of strong encryption is, on the whole, detrimental to the government’s national security efforts. Johnson highlighted the complicated balance between privacy concerns faced by individuals and companies on the one hand, and the need for data access in order to thwart terrorism and prosecute cybercrimes on the other: “[h]omeland security itself is a balance – a balance between the basic, physical security of the American people and the liberties and freedoms we cherish as Americans.” On the topic of stronger encryption, at least one commentator has recently recognized that Johnson’s comments are more conciliatory than others in the Obama administration who have recently come out strongly against data encryption (particularly Attorney General Eric Holder and FBI Director James Comey).
Reporter, Ehren K. Halse, San Francisco, +1 415 318 1216, ehalse@kslaw.com.
Cybersecurity Legislation Passes In The House — As an update to last week’s article, Congress To Take Up Major Cybersecurity Legislation During “Cyber Week”, the House passed H.R. 1560 and H.R. 1731. These Acts will now be combined and sent as a package to the Senate.
On Wednesday, April 22, the House approved H.R. 1560, the Protecting Cyber Networks Act, in a 307-116 vote. On Thursday, April 23, the House approved H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015, in a 355-63 vote. The House approved H.R. 1560 and H.R. 1731 in order to enhance the voluntary sharing of cyber threat indicators and defensive measures between companies, and between companies and the federal government, while ensuring that privacy and civil liberties protections are respected.
To enhance the voluntary sharing of cyber threat information, the House included in the Acts a provision granting companies protection from civil liability when they are monitoring information systems and/or sharing cyber threat information. The House narrowed the scope of liability protections by shielding companies from civil liability only when they acted in good faith and in accordance with the Acts. Under H.R. 1560, liability protection will not be afforded to those companies that have engaged in willful misconduct. However, even with this language, criticism over the scope of liability protections remains. While the Obama administration supports the House passage of these Acts, on Tuesday, April 21, it noted in a Statement of Administration Policy on H.R. 1560 and in a Statement of Administration Policy on H.R. 1731 that it still has concerns about the “sweeping liability protections.” Furthermore, “improvements to the bill are needed to ensure that its liability protections are appropriately targeted to encourage responsible cybersecurity practices.” With these concerns still present, it is likely that the Senate will discuss narrowing the language even further.
As noted above, under the Acts, the House sought to enhance the voluntary sharing of cyber threat information, while ensuring that privacy and civil liberties protections remain. As a consequence, under the Acts, companies and the federal government must remove personal information of specific persons who are not directly related to the cybersecurity threat before sharing any information. In addition to this requirement, there will be periodic reports sent to Congress in order to ensure proper oversight of the federal government in regards to whether personal information is being properly scrubbed from shared data and not used for purposes unrelated to cybersecurity. For example, under H.R. 1560, the Director of National Intelligence must periodically report to Congress on the federal government’s use of the shared data, and the Privacy and Civil Liberties Oversight Board must report to Congress and the President on the sufficiency of the procedures that address privacy and civil liberties concerns.
Overall, interested parties see the passage of these Acts as progress. The question now is how the Senate will address the combined legislation and whether discussions in the Senate will be stalled due to other pressing issues.
Reporter, Jennifer Raghavan, San Francisco, +1 415 318 1234, jraghavan@kslaw.com.New Cyber Strategy Issued By Pentagon ― In a speech at Stanford University on April 23, 2015, Department of Defense (“DoD” or the “Pentagon”) Secretary Ash Carter unveiled the Pentagon’s new cyber strategy (the “Strategy”) and called on the technology sector to partner with DoD in combatting cyber crime and terrorism. He also confirmed that Russian hackers had accessed one of the Pentagon’s unclassified networks earlier this year.
According to the Strategy, “[t]he United States is committed to an open, secure, interoperable, and reliable Internet that enables prosperity, public safety, and the free flow of commerce and ideas. … Yet these same qualities of openness and dynamism that led to the Internet’s rapid expansion now provide dangerous state and non-state actors with a means to undermine U.S. interests.” Further, “[l]eaders must take steps to mitigate cyber risks. Governments, companies, and organizations must carefully prioritize the systems and data that they need to protect, assess risks and hazards, and make prudent investments in cybersecurity and cyber defense capabilities to achieve their security goals and objectives.”
The Strategy builds on the work begun by the Pentagon in May 2011 in addressing cyber threats and sets forth the “strategic goals and objectives for DoD’s cyber activities and mission to achieve over the next five years.” In order to improve collective cybersecurity and protect U.S. interests, the Pentagon will seek to expand information sharing and interagency coordination; build bridges to the private sector; and build alliances, coalitions, and partnerships abroad.
The Strategy is focused on three primary missions:
- DoD must defend its own networks, systems, and information.
- DoD must be prepared to defend the United States and its interests against cyber attacks of significant consequence.
- If directed by the President or the Secretary of Defense, DoD must be able to provide integrated cyber capabilities to support military operations and contingency plans.
A new cyber mission force encompassing “leaders and communities across DoD and the broader U.S. government” is being developed to advance the Strategy, which has the following five goals for these missions:
- Build and maintain ready forces and capabilities to conduct cyberspace operations;
- Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
- Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyber attacks of significant consequence;
- Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages; and
- Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.
A Pentagon web site devoted to the new Strategy may be found here. A statement issued by Stanford University may be found here.
Reporter, Claudia A. Hrvatin, Washington, +1 202 661 7950, chrvatin@kslaw.com.
Online Advertising: When In Doubt, DISCLOSE — The FTC has approved the final order in its February complaint against AmeriFreight for failing to disclose that it compensated consumers for their online reviews. Coordinated and paid advertising campaigns that do not disclose paid endorsements test the FTC’s guidelines known as the Disclosures issued in March 2013.
In this enforcement action, the FTC highlighted that AmeriFreight advertised on its website that it has “more highly ranked ratings and reviews than any other company in the automobile transportation business.” AmeriFreight also provided potential customers with written price quotes that also refer to their online reviews. The company did not, however, disclose to its potential customers that it offered a $50 discount on the price of its services if a customer agreed to review AmeriFreight’s services online. AmeriFreight also awarded cash prizes to those customers with the best monthly review. The FTC’s complaint notes that the majority of the online reviews of AmeriFreight’s services fail to disclose that the endorsers were compensated to post an online review or that its endorsers were eligible to receive an additional monetary award if selected for the “Best Monthly Review Award.”
According to the FTC’s guidelines, advertisers must make clear and conspicuous disclosures, regardless of the platform, in order to prevent an advertisement from being deceptive or unfair. If a platform does not provide the opportunity to make these necessary disclosures, then the advertisers should refrain from using such platform.
A recent controversy over an advertising campaign by Lord & Taylor through Instagram has brought awareness to disclosures in advertising campaigns. Earlier this month, Lord & Taylor gave 50 popular style bloggers a paisley dress and paid them to post a photo of themselves wearing the dress on Instagram. The campaign was a success: the dress sold out almost immediately. However, the bloggers all failed to mention that Lord & Taylor paid them for the Instagram post. With the Lord & Taylor campaign, the bloggers likely would have been in compliance with these FTC guidelines if they had added a hashtag to the post that indicated their relationship with Lord & Taylor, such as “#ad” or “#sponsored.”
The FTC advises that when in doubt, it is best to clearly disclose when a post or review is an ad or a sponsored message. It is important to note that the FTC’s .com Disclosures state that “necessary disclosures should not be relegated to ‘terms of use’ and similar contractual agreements.” Therefore, merely placing a notice in the Terms of Use or Privacy Policy may not be sufficient when advertising through consumers on social media platforms, especially when the company is paying the consumer for the positive social media post or online review.
Reporter, Jennifer Raghavan, San Francisco, +1 415 318 1234, jraghavan@kslaw.com.
King & Spalding And PwC Host Cybersecurity Summit In Atlanta
On April 20, 2015, cybersecurity experts from King & Spalding and PwC hosted the 2015 Cybersecurity Summit: Are You Prepared?, before a full house in King & Spalding’s Atlanta office. Phyllis Sumner, who leads King & Spalding’s Data, Privacy and Security Practice, offered opening and closing remarks and emphasized how attention to cybersecurity issues has expanded from technical discussions in IT Departments to prominent agenda items in corporate C-suites and Board rooms. In addition to experts from King & Spalding and PwC, the Cybersecurity Summit also featured prominent guest speakers Georgia Attorney General Sam Olens; The Honorable Stanley F. Birch (Ret.), former U.S. Circuit Judge for the Eleventh Circuit Court of Appeals; and Rod Coffin, Special Agent with the FBI’s Cyber Division.
In a series of in-depth panel discussions interspersed with focused “Hot Topic” discussions, the Summit covered a broad range of critical cybersecurity topics that are front and center not only in corporate C-suites and Board rooms, but also at government regulatory agencies and the plaintiffs’ class action bar. Please see below for a summary of the Cybersecurity Summit content, and please click here to see the Summit agenda and biographies of the participants.
Panel Discussions.
Incident Response Planning. FBI Special Agent Rod Coffin joined this panel to share his experience investigating a wide range of data breach cases, including identity theft and network intrusion incidents. Special Agent Coffin and his co-panelists from King & Spalding and PwC drew on their various experiences of investigating, prosecuting and conducting forensic analyses of cybersecurity incidents to offer best practices for the planning and execution of incident response protocols, including when it may be in the best interests of a company to enlist the investigative resources of the FBI. The panel was moderated by Nick Oldham of King & Spalding and also featured Don Ulsch of PwC.
Who’s Knocking at Your Door? – Government Enforcement Issues. Georgia Attorney General Olens joined this panel to share his perspectives on the role of the Georgia Attorney General’s Office, and of state Attorneys General more broadly, in the investigation and enforcement of privacy and security issues. King & Spalding and PwC co-panelists offered perspectives from their vantage points of experience with federal enforcement authorities, including DOJ, HHS OCR, FTC, FCC and SEC, as well as state insurance departments. The panel focused on the varying interests and current initiatives of various enforcement authorities and the extent or lack of coordination among agencies in investigations and enforcement actions. The panel was moderated by Chris Burris from King & Spalding and also included participation and input from Norm Armstrong, Gary Grindler, Rob Keenan and Phyllis Sumner from King & Spalding and Charles Beard of PwC.
Class Action Landscape. Judge Birch was joined by King & Spalding class action defense lawyers and a member of the plaintiff’s bar who regularly join battle on the front lines of major class action privacy and security litigation. This panel featured good-natured but lively debate among the combatants, interspersed with Judge Birch’s perspectives from 20 years on the bench and now as a JAMS neutral. The panelists devoted substantial attention to discussing the related topics of plaintiffs’ damages and standing that will dictate the scope and likelihood of success of future privacy and security class action litigation. The panel was moderated by Barry Goheen from King & Spalding and also included Stewart Haskins from King & Spalding and Christopher Dore from Edelson PC.
U.S. & International Legislative Perspectives. In the final panel of the day, cybersecurity experts from King & Spalding’s Washington, D.C., London and Moscow offices examined pending legislative and other public policy initiatives likely to govern information privacy and security in the U.S., the EU and beyond. In a mark of progress, two bills discussed during the panel, the Protecting Cyber Networks Act (H.R. 1560) and the National Cybersecurity Protection and Advancement Act (H.R. 1731), both passed the U.S. House of Representatives last week. The global panel included J.C. Boggs, a partner in our Washington-based Government Advocacy and Public Policy group, and corporate partners Alla Naglis and Pulina Whitaker, from King & Spalding’s Moscow and London offices respectively.
Hot Topic Discussions.
In the 15-minute “Hot Topic” discussions, King & Spalding and PwC experts offered focused insights on critical components of security risk assessments, breach identification and cyber insurance coverage.
In Assessing Third-Party Cyber Security Risks, David Stainback of PwC shared his experience and views on best practices for the diligence, contracting and ongoing oversight of third-party vendors that will receive a company’s sensitive information.
In Have You Been Breached and Don’t Know It? Breach Indicator Assessments, David Ames of PwC described processes and tools that can be used to enhance a company’s ability timely to detect and respond to cyber threats.
In Cyber Insurance Trends, Meghan Magruder of King & Spalding and Alice Edwards of PwC discussed the types and availability of cyber insurance coverage, along with methods to optimize a company’s prospects of obtaining coverage at desirable rates.
Reporter, Rob Keenan, Atlanta, +1 404 572 3591, rkeenan@kslaw.com.The content of this publication and any attachments are not intended to be and should not be relied upon as legal advice.