backThe House Energy And Commerce Committee Requests The National Highway Traffic Safety Administration To Address Vehicle Cybersecurity Issues – On September 12, 2016, the House Energy and Commerce Committee sent a letter to the National Highway Traffic Safety Administration (“NHTSA”), the federal agency responsible for motor vehicle safety in the United States, asking the agency to convene an industry-wide effort to discuss and address cyber safety and security risks particularly associated with access to vehicle On Board Diagnostic (“OBD”) systems.
At issue is whether the vehicle OBD-II ports provide access to the underlying vehicle architecture – a controversy sparked by researchers Charlie Miller and Chris Valasek. OBD-II ports, while initially mandated by the Environmental Protection Agency in 1994 as a means through which vehicle emissions can be tested, also increasingly are used by the aftermarket device industry and others. According to the Committee letter, numerous stakeholders have expressed concern about whether the OBD-II ports can additionally be used to gain access to vehicle systems and controls.
The Committee is requesting that NHTSA “convene an industry-wide effort to develop a plan of action for addressing the risk posed by the existence of the OBD-II port in the modern vehicle ecosystem.” This request is set within the backdrop of NHTSA already considering how cyber risks should be handled within the current motor vehicle regulatory framework. NHTSA has in recent years, and in response to Congressional mandates, modified its research efforts to focus more attention on vehicle electronics, including relevant cyber security considerations. NHTSA has issued various reports specifically aimed at cyber security. The Committee, however, has expressed its concern that cyber safety and security risks require “immediate and more comprehensive attention from NHTSA and the automotive industry.”
The letter can be found here. The NHTSA Report can be found here.
Reporter, Stephen Abreu, San Francisco, +1 415 318 1219, sabreu@kslaw.com.
Gannett Cannot Escape Privacy Suit Over USAToday App – On Friday September 2, the United States District Court for the District of Massachusetts ruled against Gannett Company, Inc. (“Gannett”) in a case where Gannett allegedly violated the Video Privacy Protection Act (“VPPA”) by collecting app users’ video viewing data and sharing such data with another company. U.S. District Judge F. Dennis Saylor IV denied Gannett’s motion to dismiss the suit for lack of standing by the plaintiff, Alexander Yershov, stating that “the intangible harm allegedly suffered by Yershov from Gannett’s alleged disclosure of his [personally identifiable information] is a concrete injury in fact.” This Article III standing decision, which analyzes the “injury in fact” prong of the standing requirements established in the recent Spokeo v. Robins U.S. Supreme Court decision in the context of alleged VPPA violations, held that statutory VPPA violations themselves can result in legally cognizable injuries, even if the plaintiff suffers no additional harm.
When faced with an Article III standing issue in the context of an alleged Fair Credit Reporting Act (“FCRA”) violation in Spokeo, the Court reiterated that “to establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete or particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” However, in the context of privacy law violations, the requirement that a plaintiff show a “concrete” injury can pose problems when attempting to establish standing. When privacy violations do not directly result in monetary harm, it raises the question as to whether the mere violation of the plaintiff’s privacy is concrete enough of a harm to establish that the plaintiff has suffered an injury in fact. The Spokeo Court approached this question by starting with the axiom that “[i]n determining whether an intangible harm constitutes an injury in fact, both history and the judgment of Congress play important roles.” Nevertheless, the Spokeo Court determined that, due to the particular history and intent of Congress in enacting the FCRA, the plaintiff in that case “cannot satisfy the demands of Article III by alleging a bare procedural violation [of the FCRA].”
In the wake of Spokeo, the U.S. Court of Appeals for the Third Circuit addressed this “concrete harm” issue in the case of In re: Nickelodeon Consumer Privacy Litigation, wherein children under the age of thirteen brought a putative class action lawsuit against an Internet search engine operator alleging that the operator unlawfully collected their personal information in violation of the VPPA, amongst other privacy laws. The Third Circuit in that case held that the factual allegations were sufficient to establish that the plaintiffs suffered an injury in fact because the plaintiffs’ information was disclosed to a third party. The U.S. Court of Appeals for the Seventh Circuit reached a similar conclusion when faced with this issue in the case of Sterk v. Redbox Automated Retail, LLC, stating that “[b]y alleging that [the defendant] disclosed their personal information in violation of the VPPA, [the plaintiffs] have met their burden of demonstrating that they suffered an injury in fact that success in this suit would redress.” In both In re: Nickelodeon and Sterk, the courts cited to the history of the VPPA and intent of Congress in enacting that statute to support those courts’ determinations that the plaintiffs in each case had shown they suffered a sufficiently concrete harm simply by alleging the defendants had violated the VPPA.
Here, Gannett’s motion to dismiss hinged primarily on an interpretation of the Spokeo decision that Yershov would have to show more than that his information was transmitted from one company to another to establish that he suffered an injury in fact. Instead, according to Gannett, he would have to show he incurred some actual harm as a result of such transmission. Like the Third and Seventh Circuits, Judge Saylor disagreed with this interpretation, stating in his decision that “by enacting the VPPA, [Congress] elevated an otherwise nonactionable invasion of privacy into a concrete, legally cognizable injury.” Thus, in Judge Saylor’s determination, the congressional history of the VPPA was sufficiently distinguished from that of the FCRA to allow plaintiffs to establish Article III standing for an alleged violation of the VPPA, without a showing of actual harm, even though the Spokeo Court held that a bare procedural violation of the FCRA would not satisfy the requirements for Article III standing.
While Judge Saylor’s decision did not determine the outcome of the case, it shows a trend for how the injury in fact prong of an Article III standing analysis may be determined by courts with respect to alleged violations of the VPPA. Under this interpretation of Spokeo, plaintiffs need only show that a violation of the VPPA occurred to satisfy the standard for establishing injury in fact. Plaintiffs suing under the VPPA would still have to show that the injury in fact is fairly traceable to the challenged conduct of the defendant and that the injury is likely to be redressed by a favorable judicial decision in order to satisfy the constitutional requirements under Article III for standing; however, these additional standing elements were not contested by Gannett. This serves as notice for service providers that handle the personally identifiable information of its users and customers in the context of videos and similar audio visual mediums that noncompliance with the VPPA could open the door to more litigation for violations of the statute. Whether mere violations of the VPPA are sufficient to impose liability upon a company which violates that statute, or what else must be shown by the plaintiff for him or her to win damages, is yet to be clearly determined. Judge Saylor’s decision, however, provides further arguments for plaintiffs’ counsel that a plaintiff’s lack of showing of any additional harm on top of the VPPA statutory violations is not sufficient grounds for a defendant to dismiss a VPPA case.
Reporter, Brett Schlossberg, Silicon Valley, +1 650 422 6708, bschlossberg@kslaw.com.
Sixth Circuit Lowers Bar For Plaintiff’s Standing To Sue In Data Breach Cases – On September 12, 2016, a split panel from the U.S. Court of Appeals for the Sixth Circuit held in an unpublished opinion that customers of Nationwide Mutual Insurance (“Nationwide”) could pursue claims stemming from a 2012 data breach without alleging their identities had actually been stolen, or that the hackers had actually used their personal information. The Court held the plaintiffs had Article III standing to sue Nationwide for the data breach, even though the only harm the plaintiffs alleged related to a heightened risk of identity theft and certain costs associated with monitoring their credit history after the data breach. In coming to this conclusion, the Sixth Circuit panel cited recent decisions in the Seventh Circuit, which similarly held that Article III standing could be based upon fraud prevention expenses following a data breach. However, the Nationwide ruling appears to be the first data breach case in which the plaintiffs did not have to wait for actual misuse of their personal data in order to have standing to pursue their claims.
A lower court had previously granted Nationwide’s motion to dismiss, finding (amongst other things) that the plaintiffs did not have Article III standing because they had not alleged a cognizable injury under the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681. In reversing the lower court, the Sixth Circuit concluded that by claiming that the theft of their personal data had put them at increased risk for fraud, and that they had incurred related costs to mitigate this risk (such as paying for credit “freezes”), the plaintiffs had established enough for standing. The Nationwide case also represents the first data breach standing claim to be analyzed at the U.S. Court of Appeals level since the U.S. Supreme Court’s October 2015 decision in Spokeo, Inc. vs. Robins, which held that Article III standing requires a concrete injury even in the context of a statutory violation (i.e., that a bare procedural violation of a statute – in this case, the FCRA – was not sufficient for Article III standing).
Reporter, Ehren K. Halse, San Francisco, +1 415 318 1216, ehalse@kslaw.com.
New York Department Of Financial Services Proposes New Cybersecurity Regulations For Financial Institutions – On Tuesday, September 13, 2016, the New York Department of Financial Services unveiled new proposed cybersecurity regulations aimed at banks, insurers, and financial services companies, imposing a host of obligations on these organizations to implement policies and procedures to protect their computer systems and networks and all nonpublic data. These new regulations are among the most comprehensive and sweeping to be issued by any U.S. regulator to date.
The regulations broadly cover any entity subject to New York’s banking law, insurance law, and financial services law. The regulations require organizations to adopt a written cybersecurity policy that lays out policies and procedures governing, among other things, information security and access control, business continuity and disaster planning, network security and monitoring, customer data privacy. The organization must also have specific policies outlining security procedures for information systems and private information accessible by third-party service providers, including minimum cybersecurity practice requirements for those third parties.
The regulations also impose specific requirements on organizations’ policies and procedures. These include annual penetration testing, periodic review of access privileges and security procedures, annual risk assessments, hiring of specific cybersecurity personnel, and ongoing training for all relevant employees and users. The proposed regulations also explicitly require the use of multi-factor authentication and encryption, and they require the timely destruction of nonpublic information. The regulations also require organizations to report any breaches that affect operations or that compromise nonpublic information within 72 hours of discovery to the Department of Financial Services—one of the shortest notice periods imposed by any regulator.
In addition, organizations must hire or designate a Chief Information Security Officer responsible for implementation, oversight, and enforcement of all cybersecurity policies. This Officer must report to the organization’s board of directors at least bi-annually on the cybersecurity policies and implementation, risks, and material breaches.
The proposed regulations will be officially published on September 28, 2016, which will be followed by a 45-day notice-and-comment period before their final issuance. Organizations have only 180 days after the regulations take effect to comply with most of the requirements.
The proposed regulations are available here.
Reporter, Alex Yacoub, Atlanta, +1 404 572 2758, ayacoub@kslaw.com.