The technology industry is constantly evolving and trusted legal advice is more important than ever. The attorneys in our Privacy and Data Security practice group are proud to offer a new blog series to provide curated data privacy and security news, developments and things to know moving forward. We will provide analysis designed to keep you and your organization up to speed.
Our first roundup includes news on the FBI removing malicious web shells from Microsoft’s servers, clarity on auto-dialers and new privacy legislation from author Kevin Scott. We hope you enjoy this new series!
FBI accesses compromised Microsoft Exchange Servers
On April 13, 2021, the U.S. Department of Justice (DOJ) announced a court-authorized operation by the FBI to remove malicious web shells from hundreds of vulnerable systems in the U.S. running on-premises versions of Microsoft Exchange Server software. The malicious web shells provided attackers an avenue for remote access, persistence and control. The announcement follows revelations earlier this year that attackers used certain zero-day vulnerabilities to exploit the Microsoft Exchange software utilized by businesses of all sizes worldwide to provide enterprise-level email, calendar and collaboration solutions. While owners of many systems impacted by the vulnerabilities successfully removed the web shells, hundreds of such web shells persisted unmitigated. Notably, it appears that the owners of the remaining Microsoft Exchange servers were likely unaware of the FBI’s involvement on their systems. While the FBI is “attempting to provide notice” to owners and operators of the systems from which it removed the web shells, the DOJ announcement sheds light on the department’s active cybersecurity capabilities and reach.
Clarity on the issue of auto-dialers
On April 1, 2021, the U.S. Supreme Court decided Facebook v. Duguid, unanimously siding with Facebook in rejecting a broad reading of the disputed definition of an auto-dialer. Specifically at issue was whether texts about attempted log-ins from unregistered devices constituted illegal “robocalls” under the Telephone Consumer Protection Act (TCPA). Adopted in the early 1990s, the TCPA’s definition of an automatic telephone dialing system “as equipment which has the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers” was a growing source of litigation. However, the court’s decision delivered clarity on the issue of what types of dialing equipment might trigger liability under the TCPA, which provides for recovery of uncapped statutory damages of $500 per violation to $1,500 per each willful or knowing violation. In practice, the court’s decision means that individuals can only claim TCPA protection from calls or texts made using a system that randomly or sequentially generates phone numbers.
Lawmakers looking to change Illinois Biometric Privacy Law
Enacted in 2008, Illinois’ Biometric Information Privacy Act (BIPA) broadly prohibits collecting biometric information without consent (among several other distinct obligations). However, following numerous high-profile suits, including a record-setting class-action settlement by Facebook, Illinois lawmakers are considering House Bill 599. Among other changes, the bill would require a potential claimant to provide written notice of violation identifying the specific provisions being violated, provide the receiving entity 30 days to cure the violation, and would create a one-year statute of limitations.
Items to know and keep in mind going forward
First national, but maybe not the last, comprehensive U.S. privacy bill this year
Following on the heels of Virginia’s comprehensive privacy legislation, the Information Transparency and Personal Data Control Act, sponsored by Rep. Suzan DelBene (D-WA), became the first national compressive privacy bill proposed this year. Akin to Europe’s General Data Protection Regulation (GDPR), the bill intends to create a uniform standard for data privacy regulation. It would require affirmative opt-in consent for requests involving collection, sale, sharing or disclosure of sensitive personal information while allowing consumers to opt-out of the collection, processing and sharing of non-sensitive information at any time. The bill grants enforcement authority to the Federal Trade Commission (FTC) and state attorneys general, but, significantly, does not include a private right of action. Further, in addition to “plain English,” disclosures and compliance audit requirements where certain thresholds are met, the bill would preempt similar state regulatory regimes. The combination of state law preemption and the absence of a private right of action could lead to wider bipartisan support. Even if the bill never becomes law, its introduction in the current U.S. Congress might be viewed as a starting point for privacy legislation to come, particularly as businesses continue to face the need to track and adapt to the current patchwork of state privacy laws.
Comprehensive state privacy regulations on the horizon
In March 2021, Virginia became the second and probably not the last state to enact comprehensive privacy legislation with the Consumer Data Protection Act (CDPA). While the law takes effect on January 1, 2023 and shares several similarities with the landmark California Consumer Privacy Act (CCPA), including its extraterritorial reach, the CDPA adds additional complexity to the overlapping patchwork of data and information privacy laws. Meanwhile, with the CCPA now in full force, the California Privacy Rights Act (CPRA) is set to become operative on the same date as the CDPA and will apply to personal information collected after January 1, 2022. Most notably, the CPRA will reinforce the CCPA and establish the California Privacy Protection Agency tasked with enforcement of the CCPA and implementation of the CPRA. Once established, the CPRA also grants the new agency rulemaking authority. Comparatively, the CDPA and CCPA/CPRA represent two somewhat dissimilar approaches that will likely shape comprehensive privacy legislation on the horizon in about 20 states.
Setting aside comprehensive legislation, all states now have some privacy-related laws on their books and certain states regulate online privacy specifically. For example, Maine’s internet privacy legislation, requires providers of broadband internet services to obtain consent from customers before selling or using their personal information. Similarly, Nevada’s privacy law requires website operators and services to post notices regarding their privacy practices and to establish a designated location through which consumers may submit do-not-sell requests for covered information. While these and other state laws are not comprehensive, they demonstrate the varied and nuanced considerations required for compliance.
A potential shakeup for privacy- and breach-related class actions
Since the landmark 2016 decision in Spokeo v. Robins, which held that concrete and particularized injuries, rather than mere procedural violations, are required for a valid statutory privacy claim under the Fair Credit Reporting Act (FCRA), courts have been split on consumer privacy and data breach related “no-injury” cases. With TransUnion v. Ramirez, argued on March 31, 2021, the Supreme Court appears set to articulate a clearer standard for applying Article III standing principles when addressing the class certification process. In the case, after he was unable to buy a car due to an inaccurate credit report, the representative plaintiff sued TransUnion for a violation of the FCRA. However, the credit-reporting agency argued that the class lacked standing to recover on the roughly $60 million award because few class members suffered the “concrete” harm of the plaintiff. The key question under consideration by the court is whether a damages class action is permissible when a majority of the class did not suffer an injury comparable to the representative. Given that inquiry, the decision could impact data breach and consumer privacy cases where the perennial question involves the exposure of personal information absent specific and concrete injury other than a possible increase risk of harm. A decision is expected in the next few months.