Every week, we learn about new data breaches affecting consumers across the country. Federal government workers and retirees recently received the unsettling news that a breach compromised their personal information, including social security numbers, job history, pay, race, and benefits. Amid a host of other public relations issues, the Trump organization recently discovered a potential data breach at its hotel chain. If you visited the Detroit Zoo recently, you may want to check your credit card statements, as the zoo’s third party vendor detected “malware” which allowed access to customers’ credit and debit card numbers. And, certainly, none of us can forget the enormous data breach at Target, and the associated data breach notifications and subsequent lawsuits.
For years, members of Congress have stressed the need for national data breach standards and data security requirements. Aside from mandates in particular laws, such as HIPAA, movement on data breach requirements had stalled in Congress. Years ago, however, the states picked up the slack, establishing data breach notification laws requiring notifications to consumers and, in many instances to attorneys general and consumer protection offices when certain defined “personal information” was breached. California led the pack, passing its law in 2003. Today, 47 states have laws requiring organizations to notify consumers when a data breach has compromised consumers’ personal information. Several states’ laws also mandate particular data security practices, including Massachusetts, which took the lead on establishing “standards for protection of personal information.”
Many businesses and their lobbying organizations have urged Congress to preempt state laws and establish a national standard. Most companies have employees or customers in multiple states. Thus, under current laws, organizations have to address a multitude of state requirements, including triggering events, types of personal information covered, how quickly the notification must be made, who gets notified, what information should be included in the notification, among others. State Attorneys General, on the other hand, assert that, irrespective of these inconveniences, their oversight of data breaches through the supervision of notifications and enforcement has played a critical role in consumer protection.
This week, the Attorneys General from the 47 states wrote to Congressional leaders, urging Congress to maintain states’ authority in any federal law, by requiring data breach notifications, and preserving the states’ enforcement authority.
The AGs’ key points are:
- State AG offices have played critical roles in investigating and enforcing data security lapses for more than a decade.
- States have been able to respond to constant changes in data security by passing “significant, innovative laws related to data security, identity theft, and privacy.” This includes addressing new categories of information, such as biometric data and login credentials for online accounts.
- States are on the “front lines” of helping consumers deal with the fallout of data breaches and have the most experience in guiding consumers through the process of removing fraudulent charges and repairing their credit. By way of example, the Illinois AG helped nearly 40,000 Illinois residents remove more than $27 million in unauthorized charges from their accounts.
- Forty states participate in the “Privacy Working” group, where state AGs coordinate to investigate data breaches affecting consumers across multiple states.
- Consumers keep asking for more protection. Any preemption of state law “would make consumers less protected than they are right now.”
- States are better equipped to “quickly adjust to the challenges presented by a data-driven economy.”
- Adding enforcement and regulatory authority at the federal level could hamper the effectiveness of the state law. Some breaches will be too small to have priority at the federal level; however, these breaches may have a large impact at the state or regional level.
Interestingly, just this week, Rep. David Cicilline (D-RI) introduced a House bill mandating that companies inform consumers within 30 days of a data breach. The bill also requires minimum security standards. Representative Cicilline’s bill would not preempt stricter state-level data breach security laws. The bill also contains a broad definition of “personal information” to include data that could lead to “dignity harm” – such as personal photos and videos, in addition to the traditional categories of banking information and social security numbers. The proposed legislation would also impose civil penalties upon organizations that failed to meet the standards.
Without a doubt data breaches will continue – whether from bad actors, technical glitches, or common employee negligence. The states have certainly “picked up the slack” for over a decade while Congressional actions stalled. Understandably, the state AGs do not want Congress taking over the play in their large and established “privacy sandbox.” Preemption will continue to be a key issue for any federal data breach legislation before Congress. As someone who has guided companies through multi-state data breach notifications, I have seen firsthand that requiring businesses to deal with dozens of differing state requirements is costly and extremely burdensome. Small businesses, in particular, are faced with having to grapple with a data security incident while trying to understand and comply with a multitude of state requirements. Those businesses do not have the resources of a “Target” and complying with a patchwork of laws significantly and adversely impacts those businesses. While consumer protection is paramount, a federal standard for data breach notification would provide a common and clear-cut standard for all organizations and reduce regulatory burdens. While the federal standard could preempt state notification laws, states could continue to play critical roles as enforcement authorities.
In the interim, companies must ensure that they comply with the information security requirements and data breach notifications of applicable states. An important, and overlooked aspect is to remember that while an organization may think of itself as, say a “Vermont” or “Virginia” company, it is likely that the company has personal information on residents of various states – for instance, employees who telecommute from neighboring states, or employees who left the company and moved to a different state. Even a “local” or “regional” company can face a host of state requirements. As part of an organization’s data security planning, companies should periodically survey the personal information they hold and the affected states. In addition to data breach requirements in the event of a breach, organizations need to address applicable state data security standards.
As online gaming companies compete for business, they are offering customers increasingly large incentives to play on their websites, often in the form of deposit bonuses. These deposit bonuses allow players to play with the bonus money as if it’s cash and keep the winnings (although players cannot cash out the bonus itself). However, some players and regulators believe that some of these promotions are misleading, because they allegedly do not clearly and conspicuously disclose all of the material terms of the offer.
The UK’s Advertising Standards Authority (ASA) recently banned an advertisement by online gaming operator Betway which allegedly failed to disclose the material terms of the offer. Betway’s homepage prominently advertised a “£50 Free Bet*.” By clicking on the asterisk, users were taken to a tab listing the bonus terms, which stated that the operator would match new customers’ first deposit, from £10 to £50, with a bonus that must be used within a week from the initial deposit.
The ASA determined that the “£50 Free Bet” advertisement was misleading because it did not disclose the material terms and conditions of the offer in a clear and conspicuous manner. The ASA asserted that the “£50 Free Bet” advertisement would lead the average user to believe that they would receive a truly free bet—not that they had to first pay £50 before they could receive the “free” bet as a deposit bonus.
Gaming companies, like all advertisers, must be vigilant in ensuring that their advertisements fully disclose the terms of any offer up front. This includes information such as how much money the customer will receive (in this case, a matching deposit bonus up to £50), what the customer must do to earn the bonus (make a deposit), when the customer will receive the incentive (whether they receive it in a lump sum immediately upon deposit, or whether additional milestones in play or deposits must be reached), and how long they have to use the bonus funds. In the United States, the Federal Trade Commission and state Attorneys General may bring actions for alleged deceptive advertising offers, and in many states customers may bring suit for the purportedly misleading offers. In operators’ quest to compete for customers and make attractive offers, they should proceed with caution and err on the side of full disclosure in doing so.
For-profit education was dealt a major blow in a federal court case challenging the Department of Education’s Gainful Employment Rule. U.S. District Court Judge Lewis Kaplan of New York dismissed a lawsuit that was filed last November by the Association of Proprietary Colleges. The lawsuit is one of two filed in federal court shortly after the Department of Education issued its revised version of the Gainful Employment Rule. The second lawsuit, brought by the Association of Private Sector Colleges and Universities, is still pending before a federal judge in D.C.
In his opinion, Judge Kaplan rejected APC’s arguments that the Gainful Employment Rule (1) violates colleges’ constitutional due process rights, (2) violates the plain language of the statute, exceeding statutory authority, and (3) is arbitrary and capricious. Kaplan held there could be no due process issues as for-profit colleges do not have a “vested right” to participate in federal student aid programs. He discounted as ill-conceived or misleading arguments that the rule exceeds statutory authority. And he dismissed APC’s allegations that the rule as drafted is arbitrary and capricious.
Judge Kaplan’s rejection of APC’s lawsuit is hailed as a victory by detractors of the for-profit education industry who are anxious to see the new rule implemented this July. Some project that Kaplan’s opinion will influence the direction of the pending federal case in D.C. But, despite these portents, the legal theories in the two suits are distinct enough that APSCU’s case should not be overshadowed. The APSCU’s suit centers on how and why the Gainful Employment Rule, as drafted, would disparately impact populations, identifying concern that the rule would “impose massive disincentives” on schools from recruiting “low-income, minority, and other traditionally underserved student populations, because, as an historical matter, those demographics are widely recognized as most at risk of failing the Department’s arbitrary test.”
The complaint also identifies concerns regarding the DoE’s rulemaking process, which it alleges was marred by “well-substantiated allegations of bias and misconduct that led several Members of Congress to accuse the Department of bad faith.” Perhaps it will not go without notice, the next opinion around, that the DoE’s proposed rule more than doubled in size at the 11th hour of the rulemaking process, flying in the face of the purpose of the public notice and comment period.
It is surprising to see so many consumer advocate groups cheering a marred process and pushing for standards that will have the effect of discouraging education opportunities for historically underserved low-income and minority students. It can’t be that their intentions are bad. It is more likely that detractors of for-profit education are narrowly focused on examples of bad actors in the field—that have been called out by authorities for predatory lending practices and misrepresenting the quality or results of their programs. Indeed the industry is not shy of regulators scrutinizing and penalizing bad practices. For-profit education has the likes of the SEC, CFPB, FTC, and a bevy of state attorneys general at the ready. You might think that those skeptical of for-profit education could look to the work done by these agencies and be satisfied that problems are being addressed.
While detractors breathlessly anticipate another judicial benediction of the DoE’s rulemaking, hopefully the next round of judicial opining will address not just the extent of the DoE’s statutory authority but also how the DoE can and should carry out its purpose. In the meantime, for-profit educators would do well to continue efforts to disseminate data that shows how they meet important needs that other schools do not and how their costs compare to actual costs of other schools (e.g., including data on taxpayer funding of community colleges). Perhaps many of the well-intentioned skeptics would be less anxious to see the end of the industry.
The FTC’s complaint stated that Nomi’s technology (called its “Listen” service) allows retailers to track consumers’ movements through stores. The company places sensors in its clients’ stores, which collect the MAC addresses of consumers’ mobile devices as the devices search for WiFi networks. While Nomi “hashes” the MAC addresses prior to storage in order to hide the specific MAC addresses, the process results in identifiers unique to consumers’ mobile devices which can be tracked over time. Nomi provided its retail clients with aggregated information, such as how long consumers stayed in the store, the types of devices used by consumers, and how many customers had visited a different location in a chain of stores. Between January and September 2013, Nomi collected information on approximately 9 million mobile devices, according to the FTC’s complaint.
Nomi’s settlement does not require any monetary payment but prohibits Nomi from misrepresenting the options through which consumers can exercise control over the collection, use, disclosure or sharing of information collected from or about them or their devices. The settlement also bars Nomi from misrepresenting the extent to which consumers will be provided notice about how data from or about a particular consumer or device is collected, used, disclosed or shared. Nomi is required to maintain certain supporting records for five years. As is typical with FTC consent orders, this agreement remains in force for 20 years.
What can companies learn from Nomi’s settlement, even those not in the retail tracking business?
- While this is the first FTC action against a retail tracking company, the FTC has repeatedly stated that it will enforce the FTC Act and other laws under its jurisdiction against emerging as well as traditional technologies.
- The FTC noted that Nomi had about 45 clients. Most of those clients did not post a disclosure or notify consumers regarding their use of the Listen service, and Nomi did not mandate such disclosures by its clients. The FTC did not address what, if any, obligation, these businesses may have to make such disclosures. Will it become common/mandated to see a sign in a retail location warning that retail tracking via mobile phones is occurring (similar to signs about video surveillance)? One industry group’s self-regulatory policy requires retail analytics firms to take “reasonable steps to require that companies using their technology display, in a conspicuous location, signage that informs consumers about the collection and use of MLA [mobile location analytics] Data at that location.” This issue will become more prevalent as more retailers and other businesses use tracking technology.
- Interestingly, the FTC brought this action even though traditional “personal information” was not collected (such as name, address, social security number, etc.). Organizations should not assume that collecting IP addresses, MAC addresses, or other less personalized information presents no issues. The FTC takes privacy statements seriously, whatever the information collected (though certainly there is more sensitivity toward certain categories such as health, financial, and children’s information).
The bottom line is “do what you say” when it comes to privacy practices. All companies should evaluate their privacy policies at least every six months to ensure that they remain accurate and complete, have working links (if any), and reflect a company’s current practices.
In e-commerce, user reviews can make or break a business. Review sites such as Yelp are a double edged sword for merchants and service providers: on one hand satisfied customers can generate buzz about the company and bring in new customers, and on the other hand dissatisfied customers can use it as a very public platform to air their grievances and discourage new business.
Review sites such as Yelp maintain policies protecting users’ anonymity, a major source of frustration among business owners. By remaining anonymous, users can make potentially defamatory statements and leave the businesses with little recourse to hold the individuals accountable. A recent ruling by the Virginia Supreme Court has demonstrated the long and tortured road that businesses must take to challenge the anonymity of these unnamed users.
In 2012 a small Virginia company, Hadeed Carpet Cleaning Inc., brought suit against unnamed Doe defendants for allegedly defamatory statements published about Hadeed on the Yelp review website. According to Hadeed, a number of negative reviews did not match up to records of the company’s existing customers, and therefore the company suspected that the false statements were published by individuals who had never used the company’s services. The Circuit Court for the City of Alexandria, Virginia, issued a subpoena to Yelp requiring it to provide identifying information about the anonymous users. Yelp refused to comply, and the Circuit Court held Yelp in contempt.
Yelp appealed, arguing that the court’s order violated the First Amendment by forcing the company to identify the anonymous users. In January 2014 the Court of Appeals upheld the Circuit Court’s order, applying a six-prong procedure Virginia’s “unmasking statute,” which provides that the court may issue a subpoena to unveil the identity of an individual speaking anonymously over the internet where (1) notice of the subpoena was served on the anonymous speaker through his internet service provider, (2) the plaintiff has a legitimate, good faith basis to contend that communications may be tortious or illegal, (3) other efforts to identify the speaker have been fruitless, (4) the identity of the communicator is important, (5) there is no pending motion challenging the viability of the lawsuit, and (6) the entity to whom the subpoena is addressed is likely to have responsive information.
The Court of Appeals noted that Hadeed had followed the proper procedure in requesting the subpoena. The court found that the company’s evidence that the reviews did not match customer records was sufficient to establish they were not published by actual customers of the company, and were therefore likely to be false.
Yelp appealed the Circuit Court decision to Virginia’s Supreme Court. Last month, the Virginia Supreme Court issued an anticlimactic ruling dismissing the case on jurisdictional grounds, stating that the case should have been brought in California where Yelp is headquartered and where the responsive records are located.
If Hadeed chooses to resume the case in California, if will face a somewhat higher burden in obtaining the names of the users. Notably, Virginia is the only state in the country to have enacted an unmasking statute. In most states, the courts will no issue a subpoena until the plaintiff has established a prima facie case for defamation—significantly more than the “legitimate, good faith basis” used in Virginia.
Photo at vi.wikipedia.org
A recent legal case in the UK between singer Rihanna and fashion retailer Topshop has highlighted differences between publicity rights in the UK and some US jurisdictions. Rihanna sued Topshop for its sale of a t-shirt bearing a large photograph of her. Rihanna had not approved or endorsed the sale of the t-shirt; rather, an independent photographer had taken the picture and licensed it for use on the shirts.
In the United States, many jurisdictions have laws governing the right of publicity; that is, the right to control the use of your image for commercial gain, or to be compensated for the commercial use of your image. The UK, however, does not have corresponding laws on image rights. Instead, Rihanna had to allege that Topshop engaged in “passing off” the shirts as being endorsed by the singer, thereby damaging her goodwill and business. In support, Rihanna argued that the circumstances of the sale of the shirts were likely to mislead customers into thinking that she had endorsed the product because the photograph was similar to those used in official album promotions, the nature of the shirt itself, and the fact that Topshop is a major and reputable retailer.
The lower court considered Rihanna’s prior connections to the store in considering whether passing off occurred. It noted that Topshop had previously run a competition in which the winner was awarded with a shopping trip to Topshop. Also, only weeks before the shirts went on sale, Topshop tweeted that Rihanna was shopping at one of its locations. Against that background, the court noted that the particular photograph on the shirt could have led her fans to believe that it was associated with the marketing campaign for the album, since the particular hairstyle and scarf worn by Rihanna in the photograph were widely used in a music video and associated publicity.
Ultimately Rihanna’s passing off arguments were successful, and the court granted an injunction prohibiting Topshop from selling the shirts without informing customers that they had not been approved or authorized by Rihanna. However, it is interesting to think what the result might have been in an instance where it was more obvious that Rihanna had not endorsed the product; for instance, if the t-shirts were sold, not through a trusted retailer which has been associated with the singer but instead by an independent seller hawking t-shirts on the street corner. In such circumstances the case in favor of passing off may have been weaker and Rihanna might not have been able to control the use of her image.
In contrast, the outcome under such a scenario might be very different in a state like California, which has strong right of publicity laws. California Civil Code §3344(a) forbids the use of another’s likeness “on or in products, merchandise, or goods, or for purposes of advertising or selling, or soliciting purchases of, products, merchandise, goods or services, without such person’s prior consent…” The law establishes liability $750 or actual damages, whichever is greater, as well as “any profits from the unauthorized use that are attributable to the use and are not taken into account in computing the actual damages.” Punitive damages and attorney’s fees and costs are also available under the statute.
While Rihanna’s victory in UK court does not establish a right of publicity in the country, it does provide an interesting case study in the workarounds that celebrities must use in order to protect their image from being improperly used in jurisdictions which do not have a right of publicity.
The FTC’s “Do Not Call” and “robocall” rules do not apply to political survey calls. So, if Hillary Clinton sought to “voice blast” a survey about international issues, she could do so without violating the Telemarketing Sales Rule (“TSR”). (Though under FCC rules she would have an issue calling wireless numbers). However, companies may not telemarket under the guise of exempt political calls. Caribbean Cruise Lines (CCL) and several other companies working with CCL recently learned this lesson the hard way. The FTC and a dozen state attorneys general sued CCL and others for offering cruises and vacation “add ons” following purported political calls. CCL settled, agreeing to pay $500,000 of a $7.2 million dollar penalty, and to comply with multiple compliance mechanisms.
CCL and the other defendants implemented an extensive calling campaign involving 12 to 15 million calls per day for approximately ten months offering a political survey. However, the survey calls invited consumers to “press one” to receive a “free” two-day cruise to the Bahamas (port taxes would apply). A live telemarketer working on behalf of CCL then offered consumers pre-cruise hotels, excursions, and other value packages.
While political calls remain exempt under the TSR’s robocall and Do Not Call provisions, if a caller offers a good, product or service during an otherwise exempt call, an “upsell” has occurred and the call is now telemarketing. FTC rules prohibit robocalls to telemarket except with prior express consent. Thus, the FTC asserted that CCL violated the TSR’s robocall provision since the called parties had not consented to the recorded sales calls. While the calls started as political survey calls, they were actually standard telemarketing, subject to all TSR telemarketing rules. The FTC also alleged violations of the Do Not Call rules, the caller identification rules, and the “company-specific Do Not Call requirements,” among other violations.
In addition to the reminder about “upsells” or “mixed messages,” this action highlights several important TSR enforcement lessons:
The TSR also bars third parties from providing “substantial assistance” to others who violate the rule. Here, the FTC’s complaint charged a group of five companies and their individual owner with assisting and facilitating the illegal cruise calls, by providing robocallers with telephone numbers to use in the caller ID field, to hide the robocallers’ identities.
The FTC will carefully review, and proceed against companies who violate other TSR provisions, including caller ID requirements, scrubbing of the federal Do Not Call database, and the company-specific Do Not Call list.
A settlement often requires ongoing recordkeeping. Here, the FTC required CCL to create records for ten years (and retain each one for 5 years), including records of consumer complaints and documentation of all lead generators.
* * *
While it should not come as a surprise that a “mixed message” call must comply with the TSR, the recent joint case against CCL and others serves as a potent reminder that the FTC and state attorneys general continue to monitor robocalling and other mass telemarketing campaigns. Further, the enforcers will use the full panoply of legal requirements and enforcement mechanisms to address telemarketing violations. The seller, the telemarketer, the lead generator, the caller ID provider, and any other party providing substantial assistance may find themselves at the receiving end of a call from the FTC if they fail to follow each of the TSR’s obligations or engage in activities that the TSR prohibits.
FTC seems more confident than ever in its authority to go after companies with insufficient data security measures. As of January 2015, FTC had settled 53 data-security enforcement actions, and FTC Senior Attorney Lesley Fair expects that number to increase.
Not everyone is sanguine about FTC’s enforcement efforts. Companies targeted for administrative action complain that the Commission is acting beyond its delegated powers under the Federal Trade Commission Act (the “FTCA”). So far, courts have declined to intervene in any administrative action that is not yet resolved at the agency level.
One such case involves LabMD, Inc., an Atlanta-based cancer-screening laboratory. At least nine years ago, someone downloaded onto the billing department manager’s computer a peer-to-peer file-sharing application called Limewire. Hundreds of files on the computer were designated for sharing on the network, including an insurance aging report that contained personal information for more than 9,000 LabMD customers. In 2008, a third party notified LabMD that the aging report was available on Limewire. The application was promptly removed from the billing department manager’s computer, but the damage allegedly had been done. According to FTC, authorities discovered in October 2012 that data from the aging report and other LabMD files were being used to commit identify theft against LabMD’s customers.
Ten months later, FTC filed an administrative complaint against LabMD alleging that it had failed to employ reasonable and appropriate data security measures. FTC further alleged that LabMD could have corrected the problems at relatively low cost with readily available security measures. By contrast, LabMD’s customers had no way of knowing about the failures and could not reasonably avoid the potential harms, such as identity theft, medical identity theft, and disclosure of sensitive, private, medical information. On these facts, FTC alleged that LabMD had committed an unfair trade practice in violation of the FTCA.
LabMD tried to get the administrative action dismissed on several grounds, including that the FTCA does not give the Commission express authority to regulate data-security practices. The Commission denied LabMD’s motion, explaining that Congress gave FTC broad jurisdiction to regulate unfair and deceptive practices that meet a three-factor test: section 5(n) provides that, in enforcement actions or rulemaking proceedings, the Commission has authority to determine that an act or practice is “unfair” if (i) it causes or is likely to cause substantial injury to consumers which is (ii) not reasonably avoidable by consumers themselves and (iii) not outweighed by countervailing benefits to consumers or competition. Commissioners noted that the FTCA as passed in 1918 granted FTC the authority to regulate unfair methods of competition. When courts took a narrow view of that authority, Congress responded by amending the FTCA to clarify that the Commission has authority to regulate unfair acts or practices that injure the public, regardless of whether they injure one’s competitors. According to the Commission, the statutory delegation is intentionally broad, giving FTC discretionary authority to define unfair practices on a flexible, incremental basis. For these and other reasons, the administrative action against LabMD would proceed.
Having failed to get the case dismissed, LabMD sought relief from the federal courts to no avail. On January 20, 2015, the U.S. Court of Appeals for the Eleventh Circuit dismissed LabMD’s suit for lack of subject-matter jurisdiction. The court explained that it lacked the power to decide LabMD’s claims in the absence of final agency action. FTC had filed a complaint and issued an order denying LabMD’s motion to dismiss. But neither was a reviewable agency action because neither represented a “consummation of the agency’s decision-making process.” Moreover, “no direct and appreciable legal consequences” flowed from the actions and “no rights or obligations had been determined” by them.
LabMD can challenge FTC’s data-security jurisdiction only after the Commission’s proceedings against it are final. That may well be too late. As a result of FTC’s enforcement action, the company was forced to wind down its operations more than a year ago.
LabMD is one of very few companies to test FTC’s data-security jurisdiction. In 2007, a federal court in Wyoming sided with FTC in holding that the defendant’s unauthorized disclosure of customer phone records was an unfair trade practice in violation of the FTCA. The Tenth Circuit affirmed that decision on appeal.
More recently, a district court in New Jersey gave FTC a preliminary victory against Wyndham Worldwide Corporation. In that case, the court held that FTC’s unfairness jurisdiction extends to data-security practices that meet the three-factor test under Section 5(n). That decision is currently on appeal before the Third Circuit. During oral argument on March 3rd, the three-judge panel signaled little doubt that FTC has authority to regulate unreasonable cybersecurity practices. Instead, the panel was concerned with how the Commission exercises that authority—specifically, whether and how it has given notice as to what data security measures are considered to be “unfair.”
A class action lawsuit recently instituted in federal court in the Northern District of California, Hunter v. Lenovo et al., alleges that Lenovo Inc., a computer manufacturer, violated its customers’ rights by selling computers which came preinstalled with alleged spyware manufactured by Superfish Inc., another named defendant. The purported class alleges that the Superfish software monitors user activity and displays pop-up ads, among other things, as part of an “image-based search” function which identifies images on the user’s screen and seeks out similar images on the web. The complaint states causes of action for violations of the Electronic Communications Privacy Act and the Stored Communications Act, as well as unjust enrichment.
The Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2712 provides criminal penalties for anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility.” The SCA has been cited by plaintiffs in other class actions in which users allege that a technology company has overstepped its bounds. For instance, in Perkins v. LinkedIn Corp., No. 13-CV-04303-LHK, 2014 WL 2751053 (N.D. Cal. June 12, 2014), a putative class of LinkedIn users alleged that the social networking company violated the SCA by collecting contacts from users’ external email accounts. The court granted LinkedIn’s motion to dismiss the SCA claims, noting that the users consented to the collection of email addresses in a prominent disclosure, and therefore LinkedIn was “authorized” to collect the information, an exception to the SCA pursuant to 18 U.S.C. §2701(c).
Although the suit is still pending, Lenovo has reversed course on the Superfish software. Lenovo has disabled Superfish on computers which came pre-installed with the software, its websites offer instructions for users to uninstall the software altogether, and Lenovo computers no longer come preinstalled with the program. While these remedial actions may be an appropriate response to user concerns, they do not constitute an admission of legal liability in the class action suit. The defendants may still argue that users consented to the software, even as they remove it from the computers.
The law of unintended consequences – a distant cousin of Murphy’s Law – states that the actions of human beings will always have effects that are unanticipated and unintended. The law could prove a perfect fit for recent efforts by class action counsel to rely upon the Federal Wiretap Act in lawsuits arising from adware installed on personal home computers.
Take, for example, the recently filed case of Bennett v. Lenovo (United States), Inc. In that case, the plaintiff seeks to represent a class of purchasers of Lenovo laptop computers complaining that “Superfish” software that was preloaded on the laptops directed them to preferred advertisements based on their internet browsing behavior. The most interesting claim included in the complaint is the assertion that Lenovo and Superfish violated the Federal Wiretap Act.
Wiretap? What wiretap?
The Federal Wiretap Act was originally passed as Title III of the Omnibus Crime Control and Safe Streets Act of 1968. These provisions were included, at least in part, as a result of concerns about investigative techniques used by the FBI and other law enforcement agencies that threatened the privacy rights of individuals. In passing the Wiretap Act, Congress was clearly focused on the need to protect communications between individuals by telephone, telegraph and the like. The Electronic Communications Privacy Act of 1986 (ECPA) broadened the application of the statute by expanding the kinds of communications to which the statute applied. But the focus was still on communications between individuals.
As is often the case, technology is testing the boundaries of this nearly 50-year-old law. The Bennett case is not the first case in which a plaintiff has argued that software on his or her computer that reads the user’s behavior violates the Wire Act. In some cases, the software in question has been so-called “keylogging” software that captures every one of a user’s keystrokes. Cases considering such claims (or similar claims under state statutes modeled after the federal Act) have been split – some based on the specifics of when and how the software actually captured the information, and others based possibly on differences in the law in different parts of the country.
One of the more interesting cases, Klumb v. Gloan, 2-09-CV 115 (ED Tenn 2012), involved a husband who sued his estranged wife when he discovered that she had placed spyware on his computer. At trial, the husband demonstrated that during his marriage, his wife installed eBlaster, a program capable of not only recording key strokes, but also intercepting emails and monitoring websites visited. The husband alleged that once intercepted, the wife altered the emails and other legal documents to make it appear as if the husband was having an affair. The motive? Money, of course. Adultery was a basis to void the pre-nuptial agreement that the parties had executed prior to their ill-fated marriage. The wife – who was a law school graduate – argued that the installation was consensual. Although consent is a recognized defense to a claim of violating the Federal Wiretap Act, for a variety of reasons, the court discredited the wife’s testimony regarding the purported consent and awarded damages and attorney’s fees to the husband plaintiff.
The Bennett plaintiffs may or may not succeed in showing the facts and arguing the law sufficient to prevail in their claim, and we know too little about the facts in that case to express a prediction of the result in that case. But we can state with confidence that the continued expansion of how the Wiretap Act is applied will, at some point, require that Congress step in and update the statute to make clear how it applies in the new internet-based world in which we now live.