District Court Dismisses Multiple Counts in FTC’s Complaint Against D-Link

On September 19, 2017, the U.S. District Court for the Northern District of California dismissed three of the six counts in the Federal Trade Commission’s (“FTC’s”) January 2017 complaint against D-Link Systems, Inc., allowing the FTC until October 20, 2017 to amend its complaint.

The FTC’s complaint alleged that D-Link engaged in unfair and deceptive practices by marketing its routers and Internet-protocol (“IP”) cameras as providing the “latest wireless security features to help prevent unauthorized access” and the “best possible encryption” protections, but nonetheless failing to protect its products from “widely-known and reasonably foreseeable risks of unauthorized access.” Continue Reading

EU Announces Major New Cybersecurity Plans

By Mark Young on September 20, 2017 Posted in Cybersecurity, European Union

Last week, in his annual State of the European Union Address, the President of the European Commission Jean-Claude Juncker called out cybersecurity as a key priority for the European Union in the year ahead. In terms of ranking priorities, President Juncker placed tackling cyber threats just one place below the EU leading the fight against climate change, and one above migration and protecting Europe’s external borders.

The full extent of the Commission’s ambition and plans in relation to cybersecurity is revealed in a detailed Communication, entitled Resilience, Deterrence and Defence: Building strong cybersecurity for the EU—a joint publication by the Commission and High Representative of the Union for Foreign Affairs and Security Policy.

We have prepared an alert that summarizes key elements of the Communication and Cyber Package that we think will be of most interest to our clients and readers of this blog. For the alert, click here.

GDPR Contracts and Liabilities Between Controllers and Processors

By Joshua Gray on September 18, 2017 Posted in Data Security, European Union, Sourcing, Technology Transactions, United Kingdom

On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”). The ICO is consulting on the Guidance until 10 October. We summarize the key aspects of the Guidance below. Continue Reading

New Ruling in European Employee Monitoring Case

By Phil Bradley-Schmieg on September 12, 2017 Posted in European Union, Social Media

On September 5, 2017, the Grand Chamber of the European Court of Human Rights (“ECtHR”) issued its ruling on appeal in the case of Bărbulescu v. Romania, concerning alleged unlawful workplace monitoring of Mr. Barbulescu’s private communications.

Overturning the ECtHR’s prior ruling in the case (covered by Inside Privacy here), the Grand Chamber held that Romanian courts had not adequately and fairly weighed up the competing interests of Mr Barbulescu and his employer. That defect of justice meant that Romania had failed to proactively protect Mr Barbulescu’s right to privacy, as required by its membership of the European Convention on Human Rights.

The Grand Chamber held that Mr Barbulescu’s right to privacy extended to his workplace, despite his private use of a work computer constituting a breach of his rules of employment. The Grand Chamber held that while privacy in the workplace can be restricted “as necessary,” “an employer’s instructions cannot reduce private social life in the workplace to zero,” since the right to privacy does not necessarily depend on an individual’s reasonable expectations, and can be enjoyed in public and in the workplace, notwithstanding prohibitions and warnings given to the individual. A fulsome balancing exercise was therefore required in cases such as these.

The Grand Chamber underlined that provided national courts undertake an adequate balancing exercise, they have some discretion as to the actual result (i.e. whether the employer’s or employee’s rights prevail in a given case). Similar discretion is also enjoyed by national legislators and constitutions when setting underlying rules on workplace privacy, provided such rules – and a means to enforce them – are actually in place.

Nevertheless, the ruling states that workplace monitoring must always be limited to what is necessary for a legitimate purpose, and should be accompanied by a range of safeguards, normally including prior notice to employees – particularly when the content of communications is concerned. Continue Reading

FTC Reaches Settlement with Influencers; Issues Updated Guidance

By Jadzia Butler on September 11, 2017 Posted in Advertising & Marketing, Federal Trade Commission, Online, Social Media, United States

The FTC recently announced that it reached a settlement with two social media influencers, Trevor Martin and Thomas Cassell, for deceptively endorsing their owned and operated online gambling service “CSGO Lotto” without disclosing that they were the owners of the site, as well as paying other well-known social media influencers to promote the site without requiring them to disclose the payments in their posts. In addition, the FTC issued warning letters to 21 out of the 90 social media influencers it had sent educational letters to earlier this year, citing specific social media posts that they felt still failed to “clearly and unambiguously” disclose a material connection between the influencers and the brands or products they were promoting. The letters asked them to respond in writing, by September 30th, advising staff of whether they do, in fact, have a material connection with the brands/products cited in the letters and, if so, describing how they will ensure such relationship is clearly disclosed going forward. Finally, the FTC updated its guidance on its official Endorsement Guidelines with additional examples featuring common social media advertising mechanisms such as Instagram, Snapchat, and Facebook. Continue Reading

UK Government Proposes Cybersecurity Law with Serious Fines

By Mark Young on August 31, 2017 Posted in Data Security, European Union, United Kingdom

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive). The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so. The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next. A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details. Continue Reading

Digital Health Check-Up: Key Questions Market Players Should Be Asking

By Inside Privacy on August 30, 2017 Posted in Health Privacy

On our sister blog, CovingtonDigitalHealth, our global cross-practice digital health team has launched a three-part series on the key questions the technology, life sciences and communications industries should be considering as they fit together the regulatory and commercial pieces of the complex digital health puzzle. Read the first post in the series here.

GAO Releases New Vehicle Data Privacy Report

By Jadzia Butler on August 29, 2017 Posted in Emerging Technologies, Privacy Policies

On August 28, 2017, the U.S. Government Accountability Office (“GAO”) publicly released a report regarding consumer privacy issues associated with the rapidly increasing number of cars that are “connected”—i.e., capable of wirelessly monitoring, collecting, and transmitting information about their internal and external environments. The report examines four key issues: (1) the types of data collected by connected cars and transmitted to selected automakers, and how such automakers use and share such data; (2) the extent to which selected automakers’ privacy policies are in line with established privacy best practices; (3) selected experts’ views on privacy issues related to connected cars; and (4) federal roles and efforts related to consumer privacy and connected cars.

Process

The GAO turned to a variety of resources to explore the four identified issues. For starters, the GAO conducted a series of interviews with relevant industry associations, organizations that work with consumer privacy issues, and a sample of sixteen automakers (thirteen of which offered connected vehicles) based on their vehicle sales in the U.S. In addition, the GAO analyzed selected automakers’ privacy policies and compared them to privacy frameworks developed by the Organization for Economic Cooperation and Development (“OECD”) as well as the Federal Trade Commission (“FTC”), the National Highway Traffic Safety Administration (“NHTSA”), and the National Institute of Standards and Technology (“NIST”). Finally, the GAO consulted relevant sources (e.g., federal statutes, regulations, and reports) and interviewed agency officials, including those from the Department of Transportation (“DOT”), the FTC, and the Department of Commerce. Continue Reading

Recent Cases on E-Mail “Spoofing” Coverage Highlight the Impact of Specific Crime Policy Wordings

By Inside Privacy on August 29, 2017 Posted in Litigation

By Benjamin Duke, Matt Schlesinger, and Scott Levitt

[This article was also published as a Client Alert.]

Two recent federal district court decisions involving computer “spoofing” scams highlight the uncertainty about whether such incidents may be covered under standard “computer fraud” provisions in widely used crime insurance forms. The conflicting results in these cases provide a stark reminder to policyholders that seemingly minor differences in policy wordings can have a major impact on the scope of coverage – and severe financial consequences.

“Spoofing” refers to the practice of manipulating a commercial e-mail to falsify the e-mail’s true origin, without the consent or authorization of the user whose e-mail address is “spoofed.” See Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 n.34 (E.D.N.Y. 2007). As recent cases reflect, scam artists have used spoofing—also known as “business email compromise,” “social engineering,” or “fake president” fraud—to induce even high-level executives of sophisticated companies to transfer millions of dollars to accounts under the scammers’ control. Faced with irretrievable losses, many companies have understandably looked first to the “computer fraud” and other provisions of their corporate crime policies for insurance coverage.

Last month, in Medidata Solutions, Inc. v. Federal Insurance Co., 2017 WL 3268529, __ F. Supp. 3d __ (S.D.N.Y. July 21, 2017), the court found coverage under the “computer fraud” provision of the insured’s crime policy for a $4.8 million loss resulting from an email spoofing scam. The scam started with a spoofed email to an accounts payable employee purportedly from Medidata’s president, directing the employee to await an attorney’s wire transfer instructions to pay for an impending acquisition. Id. at *1. That same day, the purported attorney called with instructions to process the wire transfer, and a subsequent spoofed email induced both Medidata’s vice-president and its CFO to sign off on the transfer. Id. at *2. Not until two days later did the company realize that it had been defrauded. Id. Continue Reading