[This article also was published in Law360.]

In March 2017, Rep. Tom Graves, R-Ga., introduced a draft bill titled the Active Cyber Defense Certainty Act. The bill would amend the Computer Fraud and Abuse Act to enable victims of cyberattacks to employ “limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.”[1] More specifically, the ACDC would empower individuals and companies to leave their own network to ascertain the perpetrator (i.e., establish attribution), disrupt cyberattacks without damaging others’ computers, retrieve and destroy stolen files, monitor the behavior of an attacker, and utilize beaconing technology.[2] An updated, bipartisan version of the bill was introduced by Rep. Graves and Rep. Kyrsten Sinema, D-Ariz., in October 2017.[3]


Continue Reading Litigation Options For Post-Cyberattack ‘Active Defense’

A class-action lawsuit filed last month alleges that Wal-Mart’s video recording technology at its self-service checkout kiosks collects “personal identification information” in violation of the California Song-Beverly Act Credit Card Act of 1971 (“Song-Beverly Act”).  The Song-Beverly Act, like analogous statutes in several other states, generally prohibits businesses from recording customers’ “personal identification information” as

Yesterday, the Federal Communications Commission (“FCC”) released a Public Notice seeking comment on a range of issues relevant to its interpretation of the Telephone Consumer Protection Act (“TCPA”), including how the FCC should interpret what constitutes an “automatic telephone dialing system” in the wake of a recent decision by the U.S. Court of Appeals for the District of Columbia Circuit to vacate the agency’s prior interpretation of that term.

This same issue was the focus of a petition for declaratory ruling filed earlier this month by the U.S. Chamber Institute for Legal Reform and a number of other industry organizations.

The Public Notice seeks comment on a range of other TCPA issues, some of which also were addressed by the D.C. Circuit’s recent decision.  These include how calls to reassigned mobile telephone numbers should be treated under the TCPA and the ways in which a party may revoke his or her prior express consent to receive automated or prerecorded calls under the statute. 
Continue Reading FCC Seeking Comment on Key TCPA Reform Issues in Wake of DC Circuit Ruling

The Virginia Supreme Court held that license plate images taken by law enforcement agencies constitute “personal information,” reviving a challenge to the police storage of license plate data.

Automatic license plate readers (“ALPRs”) are used by police departments across the country to take thousands of photos of license plates per hour.  Officers check these numbers against lists of stolen or wanted vehicles.  Because ALPRs also record the date, time and location of the license plate image, groups such as the American Civil Liberties Union have argued that this collection is an invasion of privacy that allows police to track a person’s movements.

The Virginia Supreme Court’s ruling marks a significant development in a case challenging the mass collection of license plate images and location data by ALPRs.  In 2015, the ACLU sued the Fairfax County Police Department (“FCPD”) on behalf of Harrison Neal, a motorist whose license plate had been captured twice and stored pursuant to a FCPD policy for one year.  Neal alleged that FCPD’s collection and storage of ALPR data violates Virginia’s Data Act, a statute designed to prevent the unnecessary collection and storage of personal information by government agencies.  However, the circuit court rejected Neal’s claim.  The court ruled that a license plate number is not “personal information” under the Data Act because the number refers to a vehicle rather than an individual.
Continue Reading Virginia Supreme Court Holds that Police License Plate Readers Collect Personal Information

Earlier this week, the Fourth Circuit Court of Appeals affirmed a lower court decision to dismiss a Telephone Consumer Protection Act (“TCPA”) lawsuit against General Dynamics Information Technology, Inc. (“GDIT”), on the basis that GDIT was immune from suit as a government contractor under what is known as the “Yearsley doctrine.”  Craig Cunningham v. GDIT, No. 17-1592 (Apr. 24, 2018).

GDIT was hired to assist the Centers for Medicare and Medicaid Services (“CMS”), a government agency, by calling individuals using an autodialer and a pre-approved script to provide information about their health insurance options under the Affordable Care Act.  When plaintiff Craig Cunningham received one of these calls, he filed a lawsuit alleging that GDIT had violated the TCPA for failing to obtain his prior consent.

The Fourth Circuit agreed with the lower court finding that GDIT was immune from suit under the Supreme Court’s Yearsley doctrine.  In Yearsley, the Supreme Court held that the doctrine of sovereign immunity that traditionally applies to the U.S. government may be extended to government contractors in instances where (1) the government authorized the contractor’s actions in question; and (2) the government “validly conferred” such authorization.  Yearsley v. W.A. Ross Construction Co., 309 U.S. 18, 20-21 (1940).  More recently, the Supreme Court applied the Yearsley doctrine to the TCPA, holding that contractors may be exempt from TCPA claims so long as they are lawfully acting on behalf of the government.  Campbell-Ewald Co. v. Gomez, 136 S. Ct. 663, 672 (2016).


Continue Reading 4th Circuit Affirms Dismissal of TCPA Suit Based on ‘Derivative Sovereign Immunity’

Last summer, Marcus Hutchins, the security researcher who stopped the “WannaCry” malware attack, was arrested and charged for his role in allegedly creating and conspiring to sell a different piece of malware, known as Kronos.  As we have previously discussed on this blog, however, the indictment was notable for its lack of allegations connecting Hutchins

The U.S. Court of Appeals for the D.C. Circuit on Friday issued a long-awaited ruling in a lawsuit challenging the Federal Communications Commission’s interpretations of key terms under the Telephone Consumer Protection Act of 1991 (“TCPA”), holding that the FCC in 2015 had adopted an unreasonably broad definition of the type of calling equipment subject to special restrictions under the TCPA — a definition so broad it would include any modern smartphone — and had failed to adequately justify its approach regarding liability for calls placed to cell phone numbers that have been reassigned to a new user.

The court upheld the FCC’s ruling that a party who has consented to receive calls may revoke that consent “through any reasonable means clearly expressing a desire to receive no further messages from the caller.”  The court also upheld the FCC’s decision to exempt from the TCPA’s consent requirements certain calls communicating urgent healthcare messages.

The D.C. Circuit’s unanimous decision addresses a consolidated set of petitions by various companies and trade associations — first filed in the summer and fall of 2015 and argued before the D.C. Circuit in 2016 — seeking review of a declaratory ruling released by the FCC in July 2015 (the “Omnibus Ruling”).  In the Omnibus Ruling, the FCC ruled on a total of 21 petitions seeking “clarification or other actions” regarding the TCPA, principally in connection with automated calls and text messages.

Petitioners sought court review of four aspects of the Omnibus Ruling:
Continue Reading D.C. Circuit Rejects Portions of FCC Decision Interpreting Key TCPA Terms

In a ruling with implications for both net neutrality and privacy, the Ninth Circuit ruled en banc today that the common carrier exemption in Section 5 of the FTC Act is activity-based, reversing a 2016 panel ruling that the exemption was status-based.  Today’s decision bolsters the FTC’s authority to bring consumer protection (including privacy) and competition actions against providers of Internet access service, which the FCC has ruled is not a common carrier service in connection with that agency’s repeal of net neutrality rules.

This appeal arises from the FTC’s lawsuit against AT&T alleging that AT&T’s practice of throttling the speed of customers with unlimited data plans once they reached a certain data usage threshold violated Section 5 of the FTC Act.  AT&T had challenged the FTC’s authority to bring the case, arguing that the company was immune from FTC oversight because it also offers common carrier (e.g., voice telephone) service.  Although the district court sided with the FTC on this question, a 2016 Ninth Circuit panel went the other way and, in doing so, created what the FTC and FCC agreed was a potential ‘gap’ in authority in which neither agency would have the right to police many actions by telecommunications companies. 
Continue Reading Ninth Circuit Decision Provides Critical Win to FTC in its Authority over Internet Service Providers

On December 1, 2017, the High Court of England and Wales found the fourth-largest supermarket chain in the UK, Wm Morrisons (“Morrisons”), vicariously liable for a data breach caused by the intentional criminal actions of one of its employees, namely the leaking of payroll information online.

The breach affected almost 100,000 Morrisons employees and the action, brought by 5,518 former and current employees, is considered to be the first of its kind in the United Kingdom. The data compromised in the breach included personal data such as names, addresses, and bank account details.


Continue Reading English High Court Finds Supermarket Liable for Data Breach by Employee in First Successful Privacy Class Action

On Wednesday, the Supreme Court heard oral arguments in Carpenter v.  U. S., a case that involved the collection of 127 days of Petitioner Thomas Carpenter’s cell site location information as part of an investigation into several armed robberies.  We attended the argument to gain any insights into how the Supreme Court may resolve this important case.

The central issue in the appeal is whether the government can access this type and amount of individual location data without a warrant.  But an equally important issue is whether the Supreme Court should reevaluate the “third-party doctrine” exception to the Fourth Amendment’s warrant requirement in light of dramatic changes in the way individuals interact with technology in the digital era.  The “third-party doctrine” provides that individuals have no expectation of privacy in any information that is voluntarily released to a third party—a mobile-phone provider, cloud service provider, and the like.  The Court’s decision will have major implications for technology companies’ ability to protect customer data against warrantless searches by law enforcement officials.

During the 80-minute, extended oral arguments, the Justices broadly acknowledged that technology has changed dramatically in the decades since the Court originally recognized the third-party doctrine.  Each Justice, however, appeared to place varying weight on the import of that change on current legal standards.  Justices Kennedy and Alito focused on the information itself, rather than the technology, asking whether location information should be considered more sensitive than the bank information that United States v. Miller permitted law enforcement to access without a warrant, suggesting that banking information might be considered more sensitive.  
Continue Reading The Supreme Court Arguments in Carpenter Show that It May Be Time to Redefine the “Third-Party Doctrine”