Litigation

On December 1, 2017, the High Court of England and Wales found the fourth-largest supermarket chain in the UK, Wm Morrisons (“Morrisons”), vicariously liable for a data breach caused by the intentional criminal actions of one of its employees, namely the leaking of payroll information online.

The breach affected almost 100,000 Morrisons employees and the action, brought by 5,518 former and current employees, is considered to be the first of its kind in the United Kingdom. The data compromised in the breach included personal data such as names, addresses, and bank account details.

Continue Reading English High Court Finds Supermarket Liable for Data Breach by Employee in First Successful Privacy Class Action

On Wednesday, the Supreme Court heard oral arguments in Carpenter v.  U. S., a case that involved the collection of 127 days of Petitioner Thomas Carpenter’s cell site location information as part of an investigation into several armed robberies.  We attended the argument to gain any insights into how the Supreme Court may resolve this important case.

The central issue in the appeal is whether the government can access this type and amount of individual location data without a warrant.  But an equally important issue is whether the Supreme Court should reevaluate the “third-party doctrine” exception to the Fourth Amendment’s warrant requirement in light of dramatic changes in the way individuals interact with technology in the digital era.  The “third-party doctrine” provides that individuals have no expectation of privacy in any information that is voluntarily released to a third party—a mobile-phone provider, cloud service provider, and the like.  The Court’s decision will have major implications for technology companies’ ability to protect customer data against warrantless searches by law enforcement officials.

During the 80-minute, extended oral arguments, the Justices broadly acknowledged that technology has changed dramatically in the decades since the Court originally recognized the third-party doctrine.  Each Justice, however, appeared to place varying weight on the import of that change on current legal standards.  Justices Kennedy and Alito focused on the information itself, rather than the technology, asking whether location information should be considered more sensitive than the bank information that United States v. Miller permitted law enforcement to access without a warrant, suggesting that banking information might be considered more sensitive.  
Continue Reading The Supreme Court Arguments in Carpenter Show that It May Be Time to Redefine the “Third-Party Doctrine”

On September 19, 2017, the U.S. District Court for the Northern District of California dismissed three of the six counts in the Federal Trade Commission’s (“FTC’s”) January 2017 complaint against D-Link Systems, Inc., allowing the FTC until October 20, 2017 to amend its complaint.

The FTC’s complaint alleged that D-Link engaged in unfair and deceptive practices by marketing its routers and Internet-protocol (“IP”) cameras as providing the “latest wireless security features to help prevent unauthorized access” and the “best possible encryption” protections, but nonetheless failing to protect its products from “widely-known and reasonably foreseeable risks of unauthorized access.”
Continue Reading District Court Dismisses Multiple Counts in FTC’s Complaint Against D-Link

By Benjamin Duke, Matt Schlesinger, and Scott Levitt

[This article was also published as a Client Alert.]

Two recent federal district court decisions involving computer “spoofing” scams highlight the uncertainty about whether such incidents may be covered under standard “computer fraud” provisions in widely used crime insurance forms. The conflicting results in these cases provide a stark reminder to policyholders that seemingly minor differences in policy wordings can have a major impact on the scope of coverage – and severe financial consequences.

“Spoofing” refers to the practice of manipulating a commercial e-mail to falsify the e-mail’s true origin, without the consent or authorization of the user whose e-mail address is “spoofed.” See Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 n.34 (E.D.N.Y. 2007). As recent cases reflect, scam artists have used spoofing—also known as “business email compromise,” “social engineering,” or “fake president” fraud—to induce even high-level executives of sophisticated companies to transfer millions of dollars to accounts under the scammers’ control. Faced with irretrievable losses, many companies have understandably looked first to the “computer fraud” and other provisions of their corporate crime policies for insurance coverage.

Last month, in Medidata Solutions, Inc. v. Federal Insurance Co., 2017 WL 3268529, __ F. Supp. 3d __ (S.D.N.Y. July 21, 2017), the court found coverage under the “computer fraud” provision of the insured’s crime policy for a $4.8 million loss resulting from an email spoofing scam. The scam started with a spoofed email to an accounts payable employee purportedly from Medidata’s president, directing the employee to await an attorney’s wire transfer instructions to pay for an impending acquisition. Id. at *1. That same day, the purported attorney called with instructions to process the wire transfer, and a subsequent spoofed email induced both Medidata’s vice-president and its CFO to sign off on the transfer. Id. at *2. Not until two days later did the company realize that it had been defrauded. Id.
Continue Reading Recent Cases on E-Mail “Spoofing” Coverage Highlight the Impact of Specific Crime Policy Wordings

The closely watched lawsuit alleging Spokeo, Inc., violated the Fair Credit Reporting Act (“FCRA”) may proceed, after a federal appeals court ruled — on remand from the Supreme Court — that publication of the inaccuracies alleged by the plaintiff would constitute a sufficiently “concrete” harm to give the plaintiff standing to sue in federal court. 

By Alex Berengaut

[This article also was published in Law360.]

In May 2017, the “WannaCry” malware was used to launch a worldwide ransomware cyberattack. WannaCry encrypted files on victim computers and demanded a ransom payable in bitcoin to provide the encryption key. The attack was stopped when a British security researcher, Marcus Hutchins, accidentally discovered and activated a “kill switch” in the malware.

In a dramatic turn of events, Hutchins was arrested earlier this month by the FBI in Las Vegas as he was returning home from a cybersecurity conference. He wasn’t charged for anything to do with WannaCry; rather, the government alleged that he had created and conspired to sell a different piece of malware, the “Kronos Banking trojan,” a piece of software that recorded and stole user credentials and other personal identifying information. On Aug. 14, 2017, he pleaded not guilty to the charges against him.

Since Hutchins’ indictment, commentators have questioned whether the creation and selling of malware—without actually using the malware—violates the two statutes under which Hutchins was charged: the Computer Fraud and Abuse Act and the Wiretap Act.[1] It is likely that these issues will be litigated as the case unfolds.

But there is another question raised by the indictment: whether it violates Hutchins’ constitutional rights to charge him for his alleged conduct under any statute in this country. Several circuits—including the Seventh Circuit, where Hutchins’ case will be heard—have recognized that the federal government cannot charge anyone, anywhere in the world irrespective of their connections to the United States.[2] As the Second Circuit has put it, “[i]n order to apply extraterritorially a federal criminal statute to a defendant consistently with due process, there must be a sufficient nexus between the defendant and the United States so that such application would not be arbitrary and fundamentally unfair.”[3]
Continue Reading Is The Hutchins Indictment Over Malware Unconstitutional?

Customers’ allegations that they face a substantial risk of identity theft as a result of a 2014 data breach are sufficiently plausible to allow their suit against health insurer CareFirst to proceed, the U.S. Court of Appeals for the D.C. Circuit held in an August 1 decision.

CareFirst discovered in April 2015 — and announced a month later — that an unknown intruder had gained access in June 2014 to a database containing personal information about CareFirst’s customers.  Seven customers then brought a class-action lawsuit against CareFirst in the federal district court in Washington, D.C., alleging among other things that CareFirst was negligent in protecting customer data, and that customers as a result faced an increased risk of identity theft.

The district court dismissed the suit, finding that the plaintiffs had not alleged that hackers had accessed the plaintiffs’ social security numbers or credit card information, and that the risk of hackers stealing the plaintiffs’ identities without such information was too speculative to satisfy the requirements of Article III of the U.S. Constitution, which requires that federal courts hear only actual “cases or controversies.”  The Supreme Court has held that this requirement bars lawsuits where the plaintiffs have not alleged that they have suffered or imminently will suffer a concrete injury.
Continue Reading D.C. Circuit: Data Breach Plaintiffs Plausibly Allege ‘Substantial Risk’ of ID Theft Sufficient to Support Standing

The Ninth Circuit announced today that the full court will rehear the case in which the three-judge panel opinion had dismissed the FTC’s lawsuit against AT&T for allegedly violating Section 5 of the FTC Act due to past “throttling” practices around unlimited data plans.  According to the panel opinion, the FTC lacked jurisdiction over AT&T’s

In Perry v. Cable News Network, the Eleventh Circuit dealt another loss to putative class-action plaintiffs seeking to use the Video Privacy Protection Act (“VPPA”) as a weapon against free online video services. The court affirmed that to be a “subscriber” of a video service—someone who can sue under the VPPA—one must have a genuine commitment, relationship, or association with that service. Because the Perry plaintiff could not show that, he lost.

The VPPA creates a cause of action for video service providers that disclose their consumers’ personally identifiable information alongside their viewing information. The typical Internet example is a paid video service that gives an advertiser a paying subscriber’s email address and viewing history.

To sue under the VPPA, a person must be a “consumer.” The VPPA defines that term as meaning a renter, purchaser, or subscriber of goods or services from a video service provider. “Subscriber” has raised the question of whether someone who downloads and uses a free app can be a “consumer” who can sue under the VPPA. At least in the Eleventh Circuit, Ellis v. Cartoon Network, Inc. answered that question: something more than mere use is needed. Instead, Ellis held that a proper VPPA plaintiff needs “some type of commitment, relationship, or association (financial or otherwise)” between the plaintiff and the video service provider.

In Perry, the district court relied on Ellis to dismiss plaintiff Perry’s suit without leave to amend because he was merely a user of CNN’s free app. Perry argued he could state a VPPA claim because he subscribed to CNN’s television channel through his cable package. This cable subscription let Perry access exclusive content via the CNN app. Perry said this made him a CNN app subscriber. He also said he paid CNN indirectly through his cable subscription. Perry appealed to the Eleventh Circuit on those theories.
Continue Reading Eleventh Circuit Hands Another VPPA Loss to Video App Plaintiffs

A Minnesota state court on February 1, 2017, issued an unusually broad search warrant directed to Google in connection with a wire fraud case.  The warrant seeks a broad set of data about all users who searched on Google for a specific person between December 1, 2016 and January 7, 2017.  The warrant became public after a researcher published an article discussing the warrant application and judge’s order.

Continue Reading Broad Minnesota Warrant Seeks Data on All Users Who Googled Fraud Victim