News & Insights


February 27, 2017

Data, Privacy & Security Practice Report – February 27, 2017

District Court Rules That Statutory Violation Without Actual Damages Counts As Injury In Fact For Article III Standing—On February 15, 2017, the United States District Court for the Eastern District of Michigan denied Time Inc.’s (“Time”) motion to dismiss a lawsuit predicated on Michigan’s Video Rental Privacy Act (the “Act”).  According to the Act, “a person . . . engaged in the business of selling . . . written materials . . . shall not knowingly disclose to any person, other than the customer, a record or information that personally identifies the customer as having purchased . . . those materials from the person engaged in the business.”  The plaintiff—Carolyn Perlin—was a subscriber to a magazine that Time published, and alleged that Time violated the Act when it disclosed to data mining companies that she had purchased a subscription to one of the company’s magazines.

In its motion to dismiss, Time argued that the plaintiff had failed to prove one of the Article III standing requirements: injury in fact.  According to the company, because of the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the plaintiff did not satisfy the injury in fact requirement because she had not alleged any injuries aside from the mere violation of the statute and entitlement to statutory damages.  The court, however, disagreed.

First, the court recognized that the Act had created a new right to privacy and that a violation of that right counts as a real and concrete harm, even if the harm is not tangible.  Second, the court determined that Time’s alleged disclosure of the plaintiff’s personal information was not a “bare procedural violation” insufficient to establish an injury in fact.  Instead, according to the court, the alleged disclosure, if proved, would be a violation of the Act’s “substantive core.”  On those grounds, along with an acknowledgement that the right the Act guarantees is similar to other privacy rights that courts have been recognizing over the last century, the court concluded that a violation of the Act counts as an injury in fact for the purposes of Article III standing.

Reporter, Barrett R. H. Young, Washington, D.C., +1 202 626 2928, 

DHS Hosts Testing Events For GPS Manufacturers To Mitigate Spoofing Risks—The Department of Homeland Security (“DHS”) is hosting a series of test opportunities for manufacturers of Global Positioning System (“GPS”) receivers and components used in critical infrastructure to test their equipment against potential disruptions.  The first event, to be held from April 17-21 in Butlerville, Indiana, is intended to give manufacturers the opportunity to perform testing in a rarely available “live-sky” spoofing environment.  DHS will accept applications to participate until this Friday, March 3. 

The goal of the April event (officially called the 2017 GPS Equipment Testing for Critical Infrastructure event) is to harden technology against GPS spoofing by allowing manufacturers to test equipment in signal environments that may be legally created only under controlled conditions authorized by the government.  DHS also intends to gather data to inform manufacturing practices and foster adoption of mitigation techniques.  

GPS spoofing technology is becoming increasingly widespread as it decreases in cost.  Last year, when two Navy patrol boats wandered off course and were captured in Iranian waters, there was speculation that Iran had sent false GPS signals to lure the sailors onto another course.  More recently, the popular mobile game Pokemon GO has been plagued by GPS spoofing.

Last month, DHS issued a set of best practices entitled “Improving the Operation and Development of Global Positioning System (GPS) Equipment Used by Critical Infrastructure.”  DHS has acknowledged that “[a]ccurate and precise position, navigation, and timing (PNT) information is vital to the nation’s critical infrastructure.”  According to Sara Mahmood, a DHS program manager, DHS is likely to hold these testing events on a regular basis and currently considers itself “ahead of the problem.” 

Reporter, Anush Emelianova, Atlanta, +1 404 572 4616,


King & Spalding’s 2017 Cybersecurity & Privacy Summit—On Monday, April 24, 2017, please join the cybersecurity and privacy experts at King & Spalding for the 2017 Cybersecurity & Privacy Summit.  This event is for legal and business professionals who want to participate in a discussion about the latest developments and strategies for data protection.  King & Spalding will provide a registration link in the coming weeks.