Litigation

On June 16, 2020, the First Circuit released its opinion in United States v. Moore-Bush.  The issue presented was whether the Government’s warrantless use of a pole camera to continuously record for eight months the front of Defendants’ home, as well as their and their visitors’ comings and goings, infringed on the Defendants’ reasonable expectation of privacy in and around their home and thereby violated the Fourth Amendment.  The appeal followed the district court’s decision in June 2019 in favor of Defendants’ motions to exclude evidence obtained via the pole camera.  The Government, without obtaining a warrant, had installed a pole camera on a utility pole across the street from Defendants’ residence.  The pole camera (1) took continuous video recording for approximately eight months, (2) focused on the driveway and the front of the house, (3) had the ability to zoom in so close that it can read license plate numbers, and (4) created a digitally searchable log.

In their motions to exclude, the Defendants, relying on Katz v. United States, argued they had both a subjective and objective reasonable expectation of privacy in the movements into and around their home, and that the warrantless use of the pole camera therefore constituted an unreasonable search under the Fourth Amendment.  The Government relied on an earlier First Circuit case, United States v. Bucci, which held that there was no reasonable expectation of privacy in a person’s movements outside of and around their home—“An individual does not have an expectation of privacy in items or places he exposes to the public.”  Thus, Bucci held that use of a pole camera for eight months did not constitute a search.
Continue Reading United States v. Moore-Bush: No Reasonable Expectation of Privacy Around the Home

On May 5, 2020, the Seventh Circuit held that violations of the section 15(b) disclosure and informed consent provisions of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) constitute “an invasion of personal rights that is both concrete and particularized” for the purposes of establishing Article III standing to sue in federal courts.  However, the Seventh Circuit also held that the alleged harms associated with violations of section 15(a) of BIPA were insufficient to establish Article III standing.  Section 15(a) mandates public disclosure of a retention schedule and guidelines for permanent destruction of collected biometric information.

Covington has previously discussed developments in BIPA litigation, which has proliferated in recent years with the advancement of relevant technologies.  The increase in BIPA litigation has been accompanied by a rise in disputes over the nature of the harm required to sustain an action, both in state and federal courts.  Although this issue was seemingly resolved at the state-level by the Illinois Supreme Court’s 2019 Rosenbach decision, federal courts have continued to grapple with the issue for the purposes of Article III standing.
Continue Reading Seventh Circuit Rules on Article III Standing Issues in Illinois BIPA Lawsuit, Allowing Case to Proceed in Federal Court

Yesterday, the Supreme Court heard oral argument (by telephone) in Barr v. American Association of Political Consultants, a case that centers on the constitutionality of the Telephone Consumer Protection Act (TCPA), and, more specifically, the prohibition on transmitting automated calls or texts to mobile telephone numbers without prior express consent.  Given the litigious environment surrounding the TCPA, the case has important potential implications for businesses that communicate with consumers in this manner.  A transcript of the argument is available here, and a recording is available here.
Continue Reading Supreme Court Hears Argument Regarding Constitutionality of TCPA

[This article also was published in Law360.]

In March 2017, Rep. Tom Graves, R-Ga., introduced a draft bill titled the Active Cyber Defense Certainty Act. The bill would amend the Computer Fraud and Abuse Act to enable victims of cyberattacks to employ “limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.”[1] More specifically, the ACDC would empower individuals and companies to leave their own network to ascertain the perpetrator (i.e., establish attribution), disrupt cyberattacks without damaging others’ computers, retrieve and destroy stolen files, monitor the behavior of an attacker, and utilize beaconing technology.[2] An updated, bipartisan version of the bill was introduced by Rep. Graves and Rep. Kyrsten Sinema, D-Ariz., in October 2017.[3]Continue Reading Litigation Options For Post-Cyberattack ‘Active Defense’

A class-action lawsuit filed last month alleges that Wal-Mart’s video recording technology at its self-service checkout kiosks collects “personal identification information” in violation of the California Song-Beverly Act Credit Card Act of 1971 (“Song-Beverly Act”).  The Song-Beverly Act, like analogous statutes in several other states, generally prohibits businesses from recording
Continue Reading Lawsuit Alleges That Self-Checkout Videos Violate the Song-Beverly Act

Yesterday, the Federal Communications Commission (“FCC”) released a Public Notice seeking comment on a range of issues relevant to its interpretation of the Telephone Consumer Protection Act (“TCPA”), including how the FCC should interpret what constitutes an “automatic telephone dialing system” in the wake of a recent decision by the U.S. Court of Appeals for the District of Columbia Circuit to vacate the agency’s prior interpretation of that term.

This same issue was the focus of a petition for declaratory ruling filed earlier this month by the U.S. Chamber Institute for Legal Reform and a number of other industry organizations.

The Public Notice seeks comment on a range of other TCPA issues, some of which also were addressed by the D.C. Circuit’s recent decision.  These include how calls to reassigned mobile telephone numbers should be treated under the TCPA and the ways in which a party may revoke his or her prior express consent to receive automated or prerecorded calls under the statute. 
Continue Reading FCC Seeking Comment on Key TCPA Reform Issues in Wake of DC Circuit Ruling

The Virginia Supreme Court held that license plate images taken by law enforcement agencies constitute “personal information,” reviving a challenge to the police storage of license plate data.

Automatic license plate readers (“ALPRs”) are used by police departments across the country to take thousands of photos of license plates per hour.  Officers check these numbers against lists of stolen or wanted vehicles.  Because ALPRs also record the date, time and location of the license plate image, groups such as the American Civil Liberties Union have argued that this collection is an invasion of privacy that allows police to track a person’s movements.

The Virginia Supreme Court’s ruling marks a significant development in a case challenging the mass collection of license plate images and location data by ALPRs.  In 2015, the ACLU sued the Fairfax County Police Department (“FCPD”) on behalf of Harrison Neal, a motorist whose license plate had been captured twice and stored pursuant to a FCPD policy for one year.  Neal alleged that FCPD’s collection and storage of ALPR data violates Virginia’s Data Act, a statute designed to prevent the unnecessary collection and storage of personal information by government agencies.  However, the circuit court rejected Neal’s claim.  The court ruled that a license plate number is not “personal information” under the Data Act because the number refers to a vehicle rather than an individual.
Continue Reading Virginia Supreme Court Holds that Police License Plate Readers Collect Personal Information

Earlier this week, the Fourth Circuit Court of Appeals affirmed a lower court decision to dismiss a Telephone Consumer Protection Act (“TCPA”) lawsuit against General Dynamics Information Technology, Inc. (“GDIT”), on the basis that GDIT was immune from suit as a government contractor under what is known as the “Yearsley doctrine.”  Craig Cunningham v. GDIT, No. 17-1592 (Apr. 24, 2018).

GDIT was hired to assist the Centers for Medicare and Medicaid Services (“CMS”), a government agency, by calling individuals using an autodialer and a pre-approved script to provide information about their health insurance options under the Affordable Care Act.  When plaintiff Craig Cunningham received one of these calls, he filed a lawsuit alleging that GDIT had violated the TCPA for failing to obtain his prior consent.

The Fourth Circuit agreed with the lower court finding that GDIT was immune from suit under the Supreme Court’s Yearsley doctrine.  In Yearsley, the Supreme Court held that the doctrine of sovereign immunity that traditionally applies to the U.S. government may be extended to government contractors in instances where (1) the government authorized the contractor’s actions in question; and (2) the government “validly conferred” such authorization.  Yearsley v. W.A. Ross Construction Co., 309 U.S. 18, 20-21 (1940).  More recently, the Supreme Court applied the Yearsley doctrine to the TCPA, holding that contractors may be exempt from TCPA claims so long as they are lawfully acting on behalf of the government.  Campbell-Ewald Co. v. Gomez, 136 S. Ct. 663, 672 (2016).Continue Reading 4th Circuit Affirms Dismissal of TCPA Suit Based on ‘Derivative Sovereign Immunity’

Last summer, Marcus Hutchins, the security researcher who stopped the “WannaCry” malware attack, was arrested and charged for his role in allegedly creating and conspiring to sell a different piece of malware, known as Kronos.  As we have previously discussed on this blog, however, the indictment was notable for its
Continue Reading Government’s Response to Malware Defendant’s Constitutional Challenge Falls Short

The U.S. Court of Appeals for the D.C. Circuit on Friday issued a long-awaited ruling in a lawsuit challenging the Federal Communications Commission’s interpretations of key terms under the Telephone Consumer Protection Act of 1991 (“TCPA”), holding that the FCC in 2015 had adopted an unreasonably broad definition of the type of calling equipment subject to special restrictions under the TCPA — a definition so broad it would include any modern smartphone — and had failed to adequately justify its approach regarding liability for calls placed to cell phone numbers that have been reassigned to a new user.

The court upheld the FCC’s ruling that a party who has consented to receive calls may revoke that consent “through any reasonable means clearly expressing a desire to receive no further messages from the caller.”  The court also upheld the FCC’s decision to exempt from the TCPA’s consent requirements certain calls communicating urgent healthcare messages.

The D.C. Circuit’s unanimous decision addresses a consolidated set of petitions by various companies and trade associations — first filed in the summer and fall of 2015 and argued before the D.C. Circuit in 2016 — seeking review of a declaratory ruling released by the FCC in July 2015 (the “Omnibus Ruling”).  In the Omnibus Ruling, the FCC ruled on a total of 21 petitions seeking “clarification or other actions” regarding the TCPA, principally in connection with automated calls and text messages.

Petitioners sought court review of four aspects of the Omnibus Ruling:
Continue Reading D.C. Circuit Rejects Portions of FCC Decision Interpreting Key TCPA Terms