In a recent article in Entrepreneur, Sheppard Mullin partner Jonathan Meyer, a former Senate counsel to Vice President Biden and Deputy General Counsel at the Department of Homeland Security, points out that Congressional oversight of companies is likely to increase in the next two years, and that cybersecurity is among the hottest topics it is likely to focus on. The public’s increasing attention to issues such as DDoS attacks, the vulnerability of the Internet of Things, and allegations of politically-motivated hacks from overseas will only increase this likelihood. As always, companies should keep an eye on Capitol Hill, and be ready for what might come their way.
The U.S. Copyright Office’s new electronic system for copyright-agent registration and maintenance goes into effect on December 1, 2016, and with it comes new rules. Beginning December 1, all online service providers must submit new designated-agent information to the Copyright Office through the online registration system. Electronic designations should be filed on December 1, 2016, or as soon as possible thereafter. Service providers who fail to timely submit electronic designations will be ineligible for the safe harbor from copyright-infringement liability provided by § 512(c) of the Digital Millennium Copyright Act.
Last Thursday, in a vote split along party lines, the Federal Communications Commission (“FCC”) approved a new regulatory regime staking its claim to privacy regulation of both fixed and mobile Internet service providers (“ISPs”) like Comcast, Verizon, and AT&T. The FCC’s rules follow its decision in the Open Internet Order, released last year and analyzed here, to classify broadband Internet access service as a common-carrier telecommunications service. The FCC’s new rules are intended to give consumers control over the ways in which ISPs use and share their customers’ private information. While the FCC has yet to release its Report and Order, the FCC’s Fact Sheet and statements by the commissioners indicate that the new privacy rules in many respects track the proposed rules the FCC put forward earlier this year, which seek to make the FCC the “toughest” privacy regulator in the Internet ecosystem by imposing on ISPs significantly more onerous and restrictive requirements for use and collection of consumer data than the Federal Trade Commission (“FTC”) imposes on its non-ISP competitors.
In Federal Trade Commission v. LeadClick Media, LLC, 2016 U.S. App. LEXIS 17383 (2nd Cir. 2016), the Second Circuit recently held that an affiliate marketing network provider could be subjected to liability under the Federal Trade Commission Act (“FTC Act”) for deceptive marketing materials published by the affiliates. It also concluded that Section 230 of the Communications Decency Act (“CDA”) did not immunize the network provider from liability. In doing so, the Second Circuit emphasized that the network provider had knowledge of and the authority to control the content of the affiliate websites. This ruling could increase the exposure of internet businesses to liability for deceptive acts or practices engaged in by third-party vendors or independent contractors.
In May, the U.S. Supreme Court issued its opinion in Spokeo v. Robins, providing guidance on the “injury-in-fact” aspect of the constitutional standing requirement for putative class action plaintiffs. 136 S. Ct. 1540 (2016), as revised (May 24, 2016). Spokeo was quickly hailed by both plaintiff- and defense-side lawyers as a major victory, but in truth provided something for everyone. It requires, for example, that a plaintiff allege “a concrete injury even in the context of a statutory violation . . .” and not merely a “bare procedural violation, divorced from any concrete harm.” Id. at 1543, 1549. Further, a “concrete” injury must “actually exist” and be “real, and not abstract.” Id. at 1548. On the other hand, a “concrete” injury is not “necessarily synonymous with ‘tangible.’” Id. at 1549. Ways to determine whether “intangible” harm qualifies as “concrete” include: (1) evaluating whether the alleged harm “has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit” and (2) looking to the judgment of Congress which “has the power to define injuries and articulate chains of causation that will give rise to a case or controversy where none existed before.” Id.
If the New York State Department of Financial Services (“DFS”) has its way, come January 1, 2017, financial services companies that require a form of authorization to operate under the banking, insurance, or financial services laws (“Covered Entities”) will be required to comply with a new set of comprehensive cybersecurity regulations aimed at safeguarding information systems and nonpublic information.
Last week, researchers at Citizen Lab uncovered sophisticated new spyware that allowed hackers to take complete control of anyone’s iPhone, turning the phone into a pocket-spy to intercept communications, track movements and harvest personal data. The malicious software, codenamed “Pegasus,” is believed to have been developed by the NSO Group, an Israeli company (whose majority shareholder is a San Francisco based private equity firm) that describes itself as a “leader in cyber warfare” and sells its software — with a price tag of $1 million – primarily to foreign governments. The software apparently took advantage of three previously unknown security flaws in Apple’s iOS software, and was described by experts as “the most sophisticated” ever seen on the market. Apple quickly released a patch of its software, iOS 9.3.5, and urged users to download it immediately.
The Securities and Exchange Commission’s (“SEC”) recent $1 million settlement with Morgan Stanley Smith Barney LLC (“MSSB”) marked a turning point in the agency’s focus on cybersecurity issues, an area that the agency has proclaimed a top enforcement priority in recent years. The MSSB settlement addressed various cybersecurity deficiencies that led to the misappropriation of sensitive data for approximately 730,000 customer accounts.
1. Illinois and Texas recently enacted laws regulating the collection and use of biometric information (e., information based on an individual’s biometric identifiers, such as iris scans, fingerprints, voiceprints, or facial geometry) and a number of other states, including New York and California, are considering adopting such statutes. The Illinois Biometric Information Privacy Act (“BIPA”) permits private rights of action and provides for statutory damages ranging from $1,000 to $5,000 per violation. The Texas analog, entitled Capture or Use of Biometric Identifier (“CUBI”), is enforceable only by the state attorney general and permits civil penalties up to $25,000 per violation.
Earlier this week, the FTC and FCC announced “parallel” investigations into how carriers and mobile device makers release information on vulnerabilities, and how and when mobile security patches are distributed. The regulators, who have publicly jockeyed for position on privacy and cybersecurity matters in the past year, appear to have reached a truce of sorts, allowing each agency to examine industry players within its core jurisdiction.