News & Insights

Newsletter

August 8, 2016

Data, Privacy & Security Practice Report – August 8, 2016


FTC Expands Its Role In Cybersecurity Enforcement By Reviving LabMD Action – On Friday, July 29, 2016, the Federal Trade Commission (“FTC” or the “Commission”) overturned the decision of one of its administrative law judges (“ALJ”) from November 2015 in a suit against LabMD, Inc., now finding LabMD liable for lax data security practices and adopting an expansive view of the FTC’s enforcement authority for such cybersecurity issues.

The FTC found that over a stretch of at least several years, LabMD did not have basic data security practices in place.  As a result of its broad failures, there were multiple incidents that exposed the personal information of about 10,000 consumers of the since-shuttered medical laboratory.  In one incident in 2008, a file containing the names, dates of birth, apparent Social Security numbers, codes for conducted medical tests, and insurance information for approximately 9,300 individuals was allegedly made available to the public on a peer-to-peer file-sharing service.  A LabMD billing manager had previously installed the LimeWire program to download and share music, but designated her “My Documents” folder for sharing.  In another incident in 2012, the Sacramento police allegedly found hard-copy documents with names and Social Security numbers of approximately 600 LabMD customers in the possession of identity thieves.

LabMD maintained that the FTC had not proven its unfairness claim under Section 5(n) of the FTC Act, which requires the Commission to show that a practice "causes or is likely to cause substantial injury to consumers” that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition.  The FTC argued that LabMD’s practices, which allowed these security lapses, caused a significant risk of future data breaches.

In a unanimous opinion authored by FTC Chairwoman Edith Ramirez, the Commissioners held that LabMD’s data security lapses were unreasonable and amounted to an unfair act or practice under Section 5 of the FTC Act, because they caused the unauthorized disclosure of patients’ medical data, amounting to a “substantial injury” to consumers.

The initial ALJ ruling had dismissed the action, finding that the FTC had failed to meet its burden of proof under the unfairness prong of Section 5 because there was no concrete evidence that the consumers with exposed personal data had suffered harm.

In overturning the ALJ ruling, the FTC made clear its regulatory expectations and the breadth of its enforcement powers concerning data security.  Following this decision, the mere exposure of sensitive information, even without evidence of misuse, will likely constitute substantial consumer injury and create liability under Section 5.  As Chairwoman Ramirez wrote in the opinion, the FTC “need not wait for consumers to suffer known harm at the hands of identity thieves” to take action.

The case is In the Matter of LabMD Inc., docket number 9357, before the FTC, and the July 29 decision can be found here.

Reporter, Nicole Pereira, New York, NY, +1 212 556 2132, npereira @kslaw.com.

Pokémon Go Faces More Criticism – Pokémon Go is a location-based augmented reality game in which players use their mobile device to catch Pokémon in the players’ real-world surroundings by utilizing the camera, GPS, and gyroscope features of the mobile device.  The game is a result of a collaboration between Niantic Inc., Nintendo Co. Ltd., and The Pokémon Company (collectively, the “game makers”).  Despite the immediate success of Pokémon Go, the game makers have faced a number of legal issues in the United States, especially in the past two weeks.  

On Tuesday, July 26, David Beckman, an end user of the popular game, filed suit against the developer, Niantic Inc., in Florida court.  Beckman claims that the game’s terms of service and privacy policy violate the Florida Deceptive and Unfair Trade Practices.  To create a profile on Pokémon Go, a user must sign in through the user’s Google, Facebook, or other preexisting third-party account.  According to Niantic’s policies, Niantic has the right to retain and share user data—including players’ location, recent web history, search terms, and user messages.  This license is perpetual and irrevocable, and therefore, will survive cancellation or discontinuation of a user’s access to or use of the game.  Beckman claims that Niantic does not have any real contractual obligation to users, since it can unilaterally, materially change its policies at any time and at its sole discretion.  In addition, Beckman claims that Niantic unlawfully asserts the right to terminate a user’s account at the company’s sole discretion and refuses a refund for any virtual goods purchased while playing the game.  Accordingly, Beckman seeks a declaratory judgment from the Florida court that the game’s terms of service contract is unenforceable.  If the court finds that Niantic has no real contractual obligation or that the contract is otherwise unenforceable, Niantic would not have any express right to collect data from players and could be subject to even more liability for its operation of the game and/or for others’ use of the game.  In other words, if the court grants Beckman’s request for a declaratory judgment, Niantic would have to change its policies.

In addition to the Beckman lawsuit filed last week, Niantic received criticism from the Electronic Privacy Information Center (“EPIC”) for its data collection practices related to the game.  As Bethany Rupert of King & Spalding reported two weeks ago, under the game’s original disclosure policy, the game makers were allowed to delve into iPhone users’ Google email accounts and documents without alerting the users.  Niantic released an update on July 13th that reduced its permissions, allowing it access to only the basic Google account information of users.  Despite this fix, EPIC urged the Federal Trade Commission (“FTC”) to launch an investigation of Niantic and its data collection practices related to Pokémon Go.  In its letter to the FTC, EPIC expresses a number of issues with Niantic’s data practices, including the issue that Niantic does not explain the scope of information gathered from users’ Google accounts or why it is necessary to access such information.

On top of the Beckman lawsuit and the criticism from EPIC, the game makers face a class action complaint filed by Jeffrey Marder on Friday, July 29.  In addition to catching Pokémon, players may gain access to Pokéstops and Pokémon gyms to acquire in-game items (which they can use to catch Pokémon) and to engage in virtual battles with other Pokémon Go players.  The game makers programmed the GPS coordinates of certain real world locations and designated them as Pokéstops and Pokémon gyms.  Mr. Marder filed a class action in the United States District Court for the Northern District of California, claiming that Niantic placed Pokéstops and Pokémon gyms on or directly adjacent to private property without the consent of the properties’ owners.  Marder claimed that this “intentional, unauthorized placement of Pokéstops and Pokémon gyms” on or near his property and the property of other members of the proposed class constitutes “a continuing invasion of the class members’ use and enjoyment of their land, committed by Niantic on an ongoing basis for Defendants’ profit.”

Mr. Marder claims that during the week of Pokémon Go’s release, strangers began lingering outside of his home in West Orange, New Jersey, with phones in their hands.  At least five individuals knocked on his door and asked for access to his backyard so they could catch Pokémon that Niantic placed at his residence without his permission.  In addition, Mr. Marder describes a number of other incidents around the country where Niantic designated Pokéstops and Pokémon gyms on private property without permission.  For example, an individual in Massachusetts reported that Niantic placed Pokémon gyms in his home without his permission.  Niantic even placed three Pokéstops within the United States Holocaust Memorial Museum in Washington, D.C.  In response to the invasion of Pokémon players, the Museum’s communications director, Andrew Hollinger, stated that, “Playing the game is not appropriate in the museum, which is a memorial to the victims of Nazism.  We are trying to find out if we can get the museum excluded from the game.”

The game makers have not yet commented on these legal complaints raised by Beckman, EPIC, and Marder.  Though, the Pokémon Go Terms of Service, which users must agree to in order to play the game, states that a player is responsible for such player’s own conduct while playing the game and the player will not trespass, or in any manner attempt to gain access to any property or location where the player does not have a right or permission to be.  Under the terms, the game makers “disclaim all liability related to any property damage, personal injury, or death” that may occur during a player’s use of the game.  Even with this disclaimer, many legal questions have been raised since the game’s inception.  Is Pokémon Go’s Terms of Service enforceable?  Do the augmented reality objects (i.e., the Pokémon)constitute a physical invasion of real property?  Will the game makers be responsible for some of the players’ actions while playing the game?  Stay tuned.

Reporter, Jennifer Raghavan, San Francisco, CA, +1 415 318 1234, mailto:jraghavan@kslaw.com.

Recent Amendments To State Security Breach Notification Laws – Security breach notification obligations vary by state, including how a security breach is defined, the method for providing notice of the breach, and any requirements to notify state regulators.  The following summarizes recent amendments and newly effective amendments to security breach notification laws in three states, California, Rhode Island, and Illinois. 

California – On July 22, 2016, California amended the state’s security breach notification laws for the sixth time since it became effective in 2003.  The amendments clarify the language of the law.  Most notably, the amendment clarifies California’s good faith exception to notification for employees or agents. The good faith exception excuses notification of a security breach if particular elements are met.  Based on the amendment, the good faith exception is only available if any of the breached information is not used or subject to further unauthorized disclosure.  The previous version only required that the “personal information” not be subject to further disclosure.  Cal. Civ. Code §1798.82(g).  The revision arguably makes the good faith exception more narrow than was previously written.  

These amendments come on the heels of more substantive changes enacted in 2015 and effective January of this year.  California defined “encrypted” as when data is “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Id.  This was important for informing the analysis of whether an incident was a breach under the statute, which requires that a person’s first name or first initial and last name coupled with unencrypted data be subject to an unauthorized acquisition.  Cal. Civ. Code §1798.82(h)(1).  California also expanded the definition of “personal information” to include “information or data collected through the use or operation of an automated license plate recognition system.”  Cal. Civ. Code §1798.82(h)(1)(F).

Rhode Island – On June 26, 2016, Rhode Island’s 2015 far-reaching amendments to its state breach notification laws became effective.  The new law now only requires notification of a security incident if it “poses a significant risk of identity theft to any resident of Rhode Island”.  R.I. St. §11-49.3-4(a)(1).  This limits the statutes application.  If the incident is a breach, notification must now be made “no later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements”.  Id. at §11-49.3-4(a)(2).  The previous version of the statute only required notice to be “prompt and reasonable.”   The amended statute also imposes new notification content requirements, which requires a brief description of the incident, the type of information subject to the breach, the known or estimated date or date range of the breach, the date the breach was discovered, a description of remediation services being offered, and instructions for filing a police report.  Id.   §11-49.3-4(d). 

Illinois – Looking ahead, Illinois amended its notification statute to broaden the definition of personal information to include medical and health information, unique biometric data, and e-mail with password combinations. BUSINESS—PERSONAL INFORMATION PROTECTION, 2016 Ill. Legis. Serv. P.A. 99-503 (H.B. 1260) (WEST). It has further made changes to the notification form, which now may be electronic, and requires notification via a local media outlet if the breach impacts residents in a concentrated geographic area.  Id.  These changes are slated to become effective January 1, 2017. 

There are many more states with proposed changes before the legislature that may come into effect in 2017.

Reporter, Julie A. Stockton, San Francisco, CA, + 415 318 1256, jstockton@kslaw.com.

FAA Could Expand New Drone Rules To Permit Flights Over People – On August 2, the Federal Aviation Administration (“FAA”) Director, Michael Huerta, while speaking at the “White House Drone Day,” indicated that the FAA was open to the potential use of commercial unmanned aircraft systems (“UAS”), or drones, over populated areas.  Director Huerta’s comments come several weeks before the FAA’s new UAS rule goes into effect, a rule that some commentators criticized as too restrictive.

On June 21, the FAA released its final rule covering the commercial use of UAS weighing up to 55 pounds, officially known as Part 107 of the Federal Aviation Regulations.  The rule, which goes into effect on August 29, restricts the use of UAS to maximum ground speed of 100 miles per hour, a maximum height of 400 feet, to operation during daylight, and requires that UAS stay within the operator’s line of sight.  The rule also requires that operators receive a “remote pilot airman” certificate by passing an aeronautical knowledge test at an FAA-approved testing center.  Operators can request a waiver of most operational restrictions if they can show that their proposed operation can be conducted safely under a waiver.

Under the new rule, individuals and companies that have been eager to use UAS for news gathering, agricultural, land surveying, or photography purposes, in most cases, no longer have to go through the cumbersome and expensive waiver process.  However, the new rule still restricts a variety of commercial activities like package delivery services and other activities involving flights over people.

In an apparent response to these critics, Director Huerta noted that the FAA has been researching UAS-related issues such as beyond line-of-sight operation and operations over people, and he expected there to be further rulemaking progress in these areas.  Director Huerta emphasized that “safely integrating drones into our airspace is one of the FAA’s top priorities” and the United States’ UAS industry will “continue being a model for the rest of the world.”  In the last eight months, the FAA has registered more than 500,000 UAS. By comparison, the FAA only has 320,000 registered manned aircraft.

Reporter, Drew Crawford, Washington, DC, +1 202 626 5512, dcrawford@kslaw.com.