News & Insights


December 12, 2016

Data, Privacy & Security Practice Report – December 12, 2016

Presidential Commission Releases Cybersecurity Report And Recommendations - On December 1, 2016, the Commission on Enhancing National Cybersecurity issued its final report with a series of recommendations for the incoming administration on strengthening the country’s cybersecurity.  As explained below, the Commission’s recommendations include a number of public-private collaborations.

President Obama created the 12-member nonpartisan Commission in February 2016 by Executive Order and tasked it with making “detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector.”  The Commission included various industry executives, including from IBM, MasterCard, Microsoft, and Uber, and also included former directors of the NSA and the National Institute of Standards and Technology (“NIST”).  Four members of the Commission were chosen by the leaders of both parties in the U.S. House and U.S. Senate.

The Commission held public hearings during which it heard from representatives in industry, government, and academia.  The Commission also reviewed past cybersecurity reports by other agencies and organizations, and took public comments. 

In drafting its final report, the Commission’s stated goal was to develop recommendations that would be realistic to implement, given both political realities and market forces.  The Commission made no long-term recommendations; all of the recommendations and action items in the report are aimed at the short- and medium-term.

The report identifies six main imperatives for enhancing cybersecurity: (1) securing infrastructure, (2) investing in security and growth of networks, (3) preparing consumers for the digital age, (4) building cybersecurity workforce capabilities, (5) improving government cybersecurity capabilities, and (6) ensuring a competitive and secure global digital economy.  Within these imperatives, the report makes 16 different recommendations with 53 action items.  Many of these recommendations, as outlined below, require private sector involvement or collaboration. 

The report recommends that the federal government collaborate with the private sector to define and implement a new model for securing and defending infrastructure, to increase the use of strong authentication, and to improve the security of the Internet of Things.  Within these recommendations, the report suggests a number of specific action items.  For example, the report suggests that the President should create, through Executive Order, a new group reporting directly to the President, called the National Cybersecurity Private-Public Program, as a forum for addressing cybersecurity issues. The report also calls on the Department of Justice to convene an interagency study, including private-sector participation, assessing the current state of the law on liability for any damage caused by faulty Internet of Things devices.

The report also recommends that the private sector work with consumer organizations and the Federal Trade Commission (“FTC”) to provide consumers with better information about the security of connected products and services.  Specifically, the report suggests, for example, that the FTC work with consumer organizations and industry members to develop a digital-age Consumer’s Bill of Rights and Responsibilities.  The report also proposes that, within the first 100 days of the next administration, the President should convene a summit of business, consumer, education, and government leaders to create a national cybersecurity awareness campaign.

Reporter, Alex Yacoub, Atlanta, +1 404 572 2758,

TCPA Lawsuit Surges Ahead, Even Though Plaintiff Deleted Text Messages – Pizza Hut and several franchise owners are currently defending a class action lawsuit in the U.S. District Court for Southern District of Florida based on claims that their 2011 promotional text-message campaign violated the Telephone Consumer Protection Act (“TCPA”). Plaintiff Brian Keim filed the lawsuit in May 2012 on behalf of himself and a proposed class of similarly situated individuals. In the most recent twist, the court has allowed the case to proceed, even though the plaintiff deleted evidence of the text messages from his cellphone, including messages that may show that plaintiff asked his friend to sign him up for the promotional text-message campaign.

The TCPA regulates persons or companies who make telephone calls using an automatic telephone dialing system (“ATDS”). 47 U.S.C. § 227(b). Specifically, the TCPA makes it unlawful for “any person . . . to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice . . . to any telephone number assigned to a . . . cellular telephone service.” 47 U.S.C. § 227(b)(1)(A)(iii). The Federal Communications Commission (“FCC”), which is granted authority to issue declaratory rulings to implement the TCPA, and federal courts have issued decisions that treat text messages as “calls” under the TCPA. Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, Declaratory Ruling and Order, 30 FCC Rcd. 7975 (2015), 2015 WL 4387780, at *37; see also Satterfield v. Simon & Schuster, Inc., 569 F.3d 946, 949 (9th Cir. 2009). Further, the FCC requires that senders obtain cellphone users’ prior express written consent before sending text messages to them. Id. at *15.

In this case, plaintiff alleged that Pizza Hut and the franchisees impermissibly obtained his cellphone number and sent him promotional text messages without his consent. Plaintiff seeks to recover statutory damages in the amount of $500 per text message sent in violation of the statute and $1,500 per text message that was sent in willful violation of the statute. There is no cap on the total amount of damages that may be awarded under the TCPA.

The case has been heavily litigated on both sides. For example, when plaintiff moved to certify the case as a class action, defendants made him an offer of judgment of $1,500. Based on defendants’ offer of judgment, the federal district court initially dismissed the case for lack of subject matter jurisdiction because plaintiff no longer had a stake in the litigation. Plaintiff appealed the decision, however, and the U.S. Court of Appeals for the Eleventh Circuit reversed and remanded the case to the district court. 

Since returning to the district court, defendants filed another motion to dismiss for failure to state a claim under the TCPA, but the court denied the motion as moot. Due to a series of stays and other extensions, defendants did not file an answer to the complaint until January 2016—nearly four years after the lawsuit started.

Once discovery started and the parties exchanged documents, defendants learned that plaintiff had failed to preserve text messages that are the basis of his lawsuit, as well as text messages he sent to his friend, which defendants suspect would show that plaintiff asked his friend to sign him up for the promotional text-message campaign. Plaintiff’s friend is now deceased, and a forensic evidence specialist could not recover the content of the text messages. Defendants moved for sanctions. In support of their motion, defendants submitted evidence of the text message flow demonstrating that plaintiff’s friend had subscribed plaintiff’s cellphone number to the promotional text message campaign. In the court’s December 5, 2016 order, the court found that even though the deleted text messages could not be restored or replaced through additional discovery, plaintiff’s duty to preserve the text messages as evidence had not been triggered at the time he destroyed them because he deleted the texts several months before he knew that he was going to sue Pizza Hut. Keim v. ADF Midatlantic, LLC, et al., No. 12-CV-80577, Dkt. No. 186 (Fla. Dec. 5, 2016).  It remains to be seen how plaintiff’s destruction of evidence will impact his claims going forward and whether it will serve as a basis for dismissing the case when defendants move for summary judgment. For now, however, defendants must continue to litigate plaintiff’s claims despite plaintiff’s destruction of this key evidence. 

King and Spalding recommends that any company that is planning on engaging in outbound marketing communications via text-message, voice-calls, or faxes, consult with an attorney to ensure that the communications comply with the TCPA and governing FCC declaratory rulings and orders, in order to reduce the risk of costly litigation like this case.

Reporter, Julie A. Stockton, San Francisco, CA, + 415 318 1256,

Rule Change Expands Federal Courts’ Search Warrant Power Over Electronic Data – On December 1, 2016, a change to Federal Rule of Criminal Procedure 41(b) took effect that allows federal courts to issue broad warrants for access to electronic communications and data.  The former version of Rule 41(b) limited the scope of search warrants for the search and seizure of property (including electronic data) within a federal court’s own district.  The new version of the rule provides a much broader scope – federal courts can now issue warrants for remote access to electronic data outside their own district if the “location of the information has been concealed through technological means” or when the data is in five or more districts.  

The implications of this rule change have been subject to robust debate.  Critics of the rule change say that it opens the door to law enforcement surveillance that is not subject to any geographic constraints, and that such activity could impact anyone using routine and legitimate privacy tools to protect their electronic data.  The Department of Justice (“DOJ”) has countered that the rule change does not create any new substantive right to search or in any way alter existing statutory or constitutional requirements, and that the changes are needed to ensure law enforcement activities are not thwarted by “outmoded venue rules.” 

The DOJ has advocated for the rule change since 2014, arguing that it is necessary to help law enforcement keep pace with the growing use of sophisticated technologies used by cyber criminals to conceal their identities.  Examples of such technology are “botnets,” which are a collection of computers (often personal computers).  Malicious software associated with a particular botnet allows infected computers (individually known as bots) to be remotely controlled by a master computer.  Use of such botnets aids in masking the true identities and locations of the perpetrators of criminal activities. 

The rule change was approved by the U.S. Supreme Court on April 28, 2016, and because Congress took no action prior to December 1, 2016, the new version of the rule is now in effect.

Reporter, Ehren K. Halse, San Francisco, +1 415 318 1216,

Also In The News

King & Spalding Issues Client Alert Regarding Proposed Cybersecurity Standards For Certain Banking Entities – On October 19, 2016, the Office of the Comptroller of the Currency (“OCC”), the Federal Reserve, and the Federal Deposit Insurance Corporation (“FDIC”) issued a joint advance notice of proposed rulemaking on enhanced cyber risk management standards.  The agencies are seeking public comment on the proposed rule by January 17, 2017.  To access the Client Alert, please click here