News & Insights

Newsletter

December 19, 2016

Data, Privacy & Security Practice Report – December 19, 2016


Proposed Rule Would Mandate Vehicle-To-Vehicle Communication On Light Vehicles—The U.S. Department of Transportation (“DOT”) issued a proposed rule on Tuesday, December 13, 2016, that would advance the deployment of connected vehicle technologies throughout the U.S. light vehicle fleet.  The aim of the new rule is to enable vehicle-to-vehicle (“V2V”) communication in an attempt to reduce the number of car crashes per year by allowing the vehicles to “talk” to one another while in operation

This proposed rule is in line with the goals to advance V2V technologies espoused by U.S. Transportation Secretary Anthony Foxx in an announcement he made in February 2014.  After directing the DOT’s National Highway Traffic Safety Administration (“NHTSA”) to advance rulemaking to that effect in that announcement, the NHTSA in turn issued an Advance Notice of Proposed Rulemaking in August 2014 which assessed the safety benefits of V2V communications.  In part due to the safety benefits discovered in that report, the rule proposed on Tuesday would require automakers to include V2V technologies in all new light-duty vehicles.  The rule also proposes requiring V2V devices to adhere to a standardized “language” that the DOT would develop with auto industry.

Automobiles equipped with V2V technologies would use short range communications to transmit data, such as location, direction, and speed, to nearby vehicles.  That data would be updated and transmitted to nearby vehicles and, using that information, vehicles can identify risks and provide warnings to drivers to avoid imminent crashes.  Privacy would also be innately protected in V2V transmissions.  Due to the nature of the data being communicated, V2V transmissions do not involve the transfer of information linked to or, as a practical matter, linkable to an individual.  In addition, the proposed rule would require robust privacy and security protocols in any V2V equipment.  And since the period for public comment on the proposed rulemaking is open for the next 90 days, this provides a possible avenue of redress for any latent privacy concerns lurking within the rule as proposed.

Reporter, Brett Schlossberg, Silicon Valley, +1 650 422 6708, bschlossberg@kslaw.com.

AshleyMadison.com Operators Settle With FTC And States For $1.66 Million—On December 14, 2016, the Federal Trade Commission (the “FTC”) announced that ruby Corp., ruby Life Inc., and ADL Media Inc. (the “Defendants”) agreed to a settlement with the FTC, 13 states, and the District of Columbia.  The Defendants operate the AshleyMadison.com website, which was the target of a 2015 data breach that exposed the personal information of more than 36 million users.  In addition to $1.66 million in monetary fines, the 20-year settlement order requires the Defendants to establish and maintain a comprehensive data security program and obtain biennial independent data security assessments.

According to the FTC’s complaint, throughout 2014 and most of 2015, the Defendants stored password encryption keys in plain text on their server and in employee emails, allowing intruders to access the Defendants’ corporate network.  In August 2015, the intruders published personal information pertaining to more than 36 million AshleyMadison.com users, including full names, sexual preferences, and desired sexual activities. 

The FTC alleged that the Defendants represented the AshleyMadison.com website as “100% secure,” “risk free,” and “completely anonymous.”  The website also displayed an image indicating that it had received a “Trusted Security Award.”  The FTC’s complaint alleges that the Defendants never received any such award from any organization.  The Defendants also charged over 125,000 users $19 each for a “Full Delete” feature to remove user profiles permanently.  Per the FTC, the Defendants nevertheless retained those users’ personal information for up to 12 months.

Under the settlement order, for a period of 20 years, the Defendants must refrain from making further misrepresentations to their users regarding the security and confidentiality of their services.  The Defendants also must implement and maintain a comprehensive data security program with administrative, technical, and physical safeguards appropriate to the Defendants’ size and complexity, the nature of their business activities, and the sensitivity of the personal information they collect.  The mandated program must include a risk-based security assessment, employee training, regular program testing, and third-party vendor risk management controls.  Every two years during the 20-year term of the settlement order, the Defendants must engage qualified, objective, and independent third-party professionals to assess the mandated data security program.  The Defendants must submit the biennial assessments to the FTC. 

The settlement order also requires the Defendants to pay $828,500 to the FTC and an equal amount to be split between 13 states and the District of Columbia.  The assessment of monetary fines is a rare move for the FTC, whose settlements more typically impose only injunctive relief.

As quoted in the FTC’s press release, FTC Chairwoman Edith Ramirez stated: “This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide.  The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better protect its users’ personal information from criminal hackers going forward.” 

Reporter, Tom Randall, Washington, D.C., +1-202-626-5586, trandall@kslaw.com.

Seventh Circuit Applies Spokeo To Reject FACTA Suit—On December 13, 2016, the U.S. Court of Appeals for the Seventh Circuit issued an opinion in Jeremy Meyers v. Nicolet Restaurant of De Pere, LLC, __ F. 3d __, No. 16-2075, holding that the named plaintiff in a proposed class action brought under the Fair and Accurate Credit Transactions Act (“FACTA”) failed to establish Article III standing.  The court applied the U.S. Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), and joined a lengthening line of post-Spokeo decisions from federal courts of appeals that have held that a defendant’s mere violation of a statute, without accompanying actual, concrete injury, is insufficient to establish standing under Article III of the Constitution.

The action arose when Meyers received a printed receipt from the defendant restaurant that did not truncate his payment card’s expiration date, as FACTA requires.  (Meyers, slip op. at 2.) Meyers brought suit on behalf of himself and others similarly situated.  The U.S. District Court for the Eastern District of Wisconsin denied Meyers’ motion for class certification, and Meyers appealed to the Seventh Circuit. (Id. at 3.)

Without addressing the class certification issue, the court held that Meyers lacked Article III standing.  Quoting Spokeo’s admonition that “concrete injury is required ‘even in the context of a statutory violation’” (id. at 5 (quoting Spokeo, 136 S. Ct. at 1549)), the court analogized Meyers’ receipt to the Supreme Court’s hypothetical, in Spokeo, of an incorrectly-reported zip code. Without alleging an actual harm of the kind FACTA was intended to address (that is, an actual risk of identity theft), the Court determined that Meyers had no standing to maintain his action. (Id. at 7.)

When the Supreme Court decided Spokeo, some observers suggested that the opinion did not represent an across-the-board victory for defendants in statutory violation cases.  In the seven months since the issuance of Spokeo, however, the federal courts of appeals consistently have found a lack of standing in privacy and other statutory claims.  (See Hancock v. Urban Outfitters, Inc., 830 F.3d 511, 514 (D.C. Cir. 2016) (District of Columbia consumer protection statute); Lee v. Verizon Comms., Inc., 837 F.3d 523, 529-30 (5th Cir. 2016) (ERISA); Braitberg v. Charter Comms., Inc., 836 F.3d 925, 930-31 (8th Cir. 2016) (Cable Communications Policy Act); Nicklaw v. Citimortgage, Inc., 839 F.3d 998, 1102-03 (11th Cir. 2016) (state satisfaction-of-mortgage statute).)  With the Meyers opinion, the Seventh Circuit now joins these other circuit courts in strictly applying the Spokeo ruling.

Taken together, these decisions and Meyers reinforce Spokeo’s holding that a violation of a statute, without more, may not be sufficient to grant standing, and suggest that plaintiffs who cannot show specific facts supporting their particularized injuries will face a steeper path to reach a jury.  This fact-based requirement, in turn, will likely hinder class certifications, which may be unable to show that issues common to the entire class still “predominate over” these individualized facts. (Fed. R. Civ. Pro. 23(b)(3).)

For a copy of the court’s decision, please click here.

Reporter, Daniel Ray, Silicon Valley, +1 650 422 6715, dray@kslaw.com.