Technology Law Source

Archives: Information Technology

Subscribe to Information Technology RSS Feed

A BIPA lawsuit! Do we have coverage? Understanding West Bend Mutual v. Krishna

By Andy Shapiro on

Companies doing business in Illinois are keenly aware of the recent flood of lawsuits alleging violations of the Illinois Biometric Information Privacy Act (BIPA). They know that BIPA lawsuits can be costly to defend. And they understand that if they are found to have mishandled the retention, collection, disclosure or destruction of biometric information, they could face substantial exposure.

Not surprisingly, the first question most companies ask when they learn about a new BIPA lawsuit is: Do we have coverage for that? To answer that question, companies will want to closely review the recent Illinois Appellate Court decision in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834. According to that ruling, they might have coverage.…

Verify your wires!

By Jack Beeler on

The FBI’s Internet Crime Complaint Center has released its 2018 annual report, which includes statistics that internet-enabled theft, wire fraud and exploitation were responsible for a staggering $2.7 billion in financial losses in 2018. If you are involved in transactional work, this can happen to you.

Reports detail an increasingly common story of wire fraud accompanying large sum transactions. The story line often includes a spoofed email invoice in connection with closing, which instructs one party to wire closing related expenses to a fraudulent account. As a result of the detailed and convincing invoice, one party loses their funds forever when they wire a large sum to the hacker’s offshore account.

What are the courts saying?

Recent news reported on a story about a hack that took place during a real estate closing. A law firm forwarded money to Deutsche Bank in accordance with instructions from a mortgage company. Through “mimicking” the e-mail address that the lender used, the hacker provided fraudulent wiring instructions to the law firm.

In rejecting the law firm’s complaint against the lender, the U.S. District Court for the Eastern District of Virginia ruled that state law does not allow companies to bring negligence claims against organizations that are hit with a data breach based on “a duty to safeguard the private information of another individual.” The court observed that its decision rests on a developing area of law: “whether or how to impose liability on a party whose potentially negligent conduct flows from a …

The federal landscape on self-driving cars

By Jill Okun on

Motivated by the unprecedented spike in automotive fatalities in 2015, mostly caused by human error, the United States Department of Transportation (DOT), through the National Highway Traffic Safety Administration (NHTSA), has embraced self-driving cars as a means to significantly reduce motor vehicle crashes. In so doing, the DOT stands behind developing a regulatory framework which encourages the safe development, testing and deployment of automated vehicles. Because current legislation and policies have not caught up with technology, Congress and the DOT are hoping to create legislation which balances technology and car manufacturers’ freedom to test, evaluate and deploy driverless cars with ascertaining the best ways to operate and govern these vehicles on U.S. roadways.…

FAA’s comprehensive new small UAS rules are here. How can they help your business?

By Brad Hughes and Caroline Gentry on

On June 21, the Federal Aviation Administration (FAA) released long-awaited new rules for commercial, non-hobbyist small unmanned aircraft (sUAS) operations. The FAA’s press release about the new rules in part 107 of the FAA regulations is available here. FAA’s three-page fact sheet about the new regulations can be found at this link, and a 53-page advisory circular, which provides additional guidance, can be found here. The fact sheet and advisory circular are helpful resources, but by no means exhaustive, as the complete rules and commentary from the FAA fill 624 pages.

These final rules govern the commercial use of small (less than 55- pound) UAS. Many of our clients, who are understandably excited about the prospects of integrating drones into their businesses under a more defined regulatory regime, should become familiar with these detailed regulations before taking to the sky. That is also true for clients who may currently be operating sUAS pursuant to a Section 333 Waiver that they obtained from FAA before these new rules were finalized. The new rules address how those Section 333 Waivers apply under the new regulatory regime, and also how to obtain waivers from many of the new operational requirements.…

Porter Wright announces the 2016 Technology Seminar Series

By Donna Ruscitti on

Porter Wright continues its tradition of providing cutting-edge information about how technology affects your business with the 2016 Technology Seminar Series, beginning  May 18.

This year’s sessions are:

May 18: Big Data, Data Analytics & the Law 2016: What Your Company Needs to Know About the Evolution of the Next Big Thing

“Big data” is one of today’s most prevalent buzzwords across virtually all industries worldwide. But who truly understands what big data is and how it’s used? How is information collected, stored and analyzed? How are businesses leveraging big data in the workplace and the marketplace? How should companies balance data-driven trend-spotting against  consumer protection?  What laws or ethical frameworks apply to the use of big data, and how can you be sure your company is complying with them? This seminar provides an introduction to big data analytics, to the legal and strategic issues that big data raises for business, and to the ways that companies can position themselves to handle these challenges.  It then zeros in on the use of big data in the modern workplace to illustrate how some of these issues play out in a context familiar to many companies.

Speakers: Dennis Hirsch, Professor of Law, Faculty Director of the Program on Data, Law, Ethics and Policy (DLEAP), The Ohio State University Moritz College of Law and Brian Hall, Porter Wright Morris & Arthur LLP…

Ch-ch-ch-changes – Fourth Circuit upholds FCC’s rules streamlining certain wireless telecommunications upgrades and expansions

By Aaron Shank on

Mobile wireless service is ubiquitous. Growth of domestic mobile data use is astronomical with growth rates expected to increase by as much as 20 times over the next five years.  4G LTE is lighting up our homes, schools, and workplaces. And 5G, we are told, is right around the corner. Growth requires infrastructure – new sites and modifications to existing facilities. Infrastructure requires permits, largely from local governments. But permit processes take time and local concerns can delay expansions. Now, however, the wireless telecommunications industry has a new tool to implement changes more quickly. And the Fourth Circuit has given the thumbs up to FCC regulations that foster these changes. See Montgomery County v. FCC, 2015 U.S. App. LEXIS 22070 (4th Cir. 2015).

This week, the United States Court of Appeals for the Fourth Circuit put the finishing touch on its decision upholding FCC regulations interpreting a 2012 law that cleared the way for a category of infrastructure expansion projects by eliminating discretionary reviews by state and local governments. The law, and the FCC’s interpretation of it, is a significant win for the wireless telecommunications industry in its efforts to streamline deployment of infrastructure, which can be slowed by state and local processes. On Feb. 16, 2016, the industry scored another victory when the court denied the petitioners’ motion seeking rehearing and rehearing en banc.

This is a big deal. Before the 2012 law, one of the most effective tools the wireless telecommunications industry could leverage for infrastructure expansions was …

The focus of the ADA turns to websites in the digital age: Is your site compliant?

By Porter Wright on

This article is excerpted from research conducted by Emily R. Taylor, one of Porter Wright’s talented 2015 summer law clerks. Emily will enter her third year at Vanderbilt University Law School in the fall. 

Title III of the Americans with Disabilities Act (ADA) prohibits discrimination on the basis of disability in places of public accommodation, including restaurants, movie theaters, schools, day care and recreational facilities, and doctors’ offices, and requires new or remodeled public places, as well as privately owned commercial facilities, to comply with ADA standards. This law, enacted in 1990, does not specifically address website accessibility for the disabled. But since 2006, when Target settled a class action lawsuit1 alleging Target.com was inaccessible to the blind in violation of the ADA, the issue of whether the law applies to websites has been a much-discussed topic in the federal courts.

Courts are split on two issues.2 The first is the threshold issue as to whether the ADA applies to websites at all. The second issue relates to the degree in which the ADA applies to websites. The Third, Ninth and Eleventh Circuit courts apply the ADA only to websites that have a physical connection to goods and services available at a physical store or location. But the Second and Seventh Circuit courts apply the ADA more broadly to include websites that lack “some connection to physical space.”3 Despite the split, one thing is for certain; the tide is moving toward ADA compliance for websites.

The Department of Justice (DOJ) …

A potential game-changer in trademark registration proceedings

By Porter Wright on

In trademark infringement litigation, the critical and usually pivotal issue is whether there is a likelihood of confusion between two allegedly similar marks. Eliminating a defendant’s ability to defend against an allegation of likelihood of confusion can be tantamount to establishing liability against the defendant. Yet, that will be the situation for many defendants following the U.S. Supreme Court’s March 24, 2015 decision in B& B Hardware, Inc. v. Hargis Industries, Inc. In that case, the Supreme Court held a defendant can be precluded from contesting “likelihood of confusion” if that issue, or a non-materially different issue, was previously decided between the parties in the Trademark Trial and Appeal Board (TTAB), a tribunal in the U.S Patent and Trademark Office (USPTO).

At first blush, the decision might not appear unusual. The doctrine of “issue preclusion,” a doctrine that prevents a party from relitigating an issue previously decided between parties, is long established law. TTAB decisions, however, are different for several reasons. First, the TTAB is part of an administrative agency (the USPTO), not part of the judicial system. Second, TTAB decisions are based on “the mark as shown in the application [for trademark registration] and as used on the good described in the application,” not the mark as actually used in the marketplace. Third, and perhaps far more significant in practical terms, many trademark registration proceedings in the past have been conducted under the assumption that the stakes involved in the proceeding were relatively modest. TTAB proceeds were viewed as …

CRTC claims its first victim under Canada’s anti-spam law

By Porter Wright on

Canada’s anti-spam law (CASL), enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), requires that businesses and organizations secure a recipient’s express or implied consent before sending “commercial electronic messages” (CEM). A CEM is any electronic message that encourages participation in a commercial activity, such as a coupon or message about a promotion of the organization, an e-vite, and newsletters sent using email, text messaging or certain forms of messages sent through social networks. The legislation imposes severe fines for non-compliance and leaves open the possibility for private or class actions for damages. CASL has been deemed one of the toughest pieces of anti-spam legislation.

The biggest feature of CASL is the consent requirement, which requires Canadian and global organizations that send CEMs within, from or to Canada to obtain consent from recipients before sending the messages. This requirement does not apply to CEMs merely routed through Canada. The requirement only applies to communications sent to electronic addresses.

Consent may be obtained expressly or may be implied, and it is imperative that an organization, which has the burden of proving that consent was obtained, keep records as to how it obtained consent.…

Leading European privacy law conference points to key themes, suggests strategic directions

By Porter Wright on

A few weeks ago, more than 1,000 academics, legal practitioners and government officials convened for one of Europe’s premier privacy law events: the Computers, Privacy and Data Protection (CPDP) conference in Brussels, Belgium. Europeans dominated this crowd but a significant number of participants from other countries, including the U.S., made this a truly international gathering. I was fortunate to attend the conference and be able to present on two panels: “The EU-U.S. Interface: Is it Possible?” and “Privacy by Analogy.” This article provides an overview the conference, identifies the main themes that emerged from the three days of panels and discussions, and draws a few strategic conclusions for a U.S. audience.

Led by Professor Paul de Hert, faculty and graduate students from the Free University of Brussels (Vrije Universiteit Brussel) organized much of the CPDP conference. Leading companies, law firms and public interest groups — including Google, Microsoft, Deloitte, epic.org, HP, Intel and others — sponsor the event. An array of universities and other entities organize the 70 panel discussions that form the backbone of the conference (videos of many of these panels are available online). American universities and organizations are getting more involved. This year, Yale, Fordham, the University of Washington and the U.S.-based International Association of Privacy Professionals (IAPP) each sponsored a panel.

Viewed as a whole, the panel topics offer insight into the key themes that are of concern in European and international privacy law circles.…

App developers should beware of the risks associated with transmitting data from a user’s mobile device to external servers

By Porter Wright on

The availability of third-party keyboard apps on the new iOS 8 operating system for Apple mobile devices created quite a buzz. It also served as a reminder for any developer of apps that transmit data or communications from a user’s host device to external servers to be cognizant of the risks associated with such data collection, whether intended for misuse or not.

Though previously available on the Android operating system, third-party keyboard apps such as SwiftKey, Fleksy and Swype broke through with Apple for the first time on iOS 8, MacRumors.com and Tech Republic report. iOS 8 comes stock on the newly released iPhone 6 and is available for download on earlier iPhone versions. Third-party keyboard apps provide aesthetic variety and features such as the ability for users to type without lifting their fingers from the keyboard by tracing their fingers between letters or numbers. Some keyboard apps also have the capability of recording a user’s keystrokes and transmitting the data contained in those keystrokes to external servers, according to MacRumors.com and a technology blog written by IT expert Lenny Zeltser. In some cases, this allows the app to require less hard drive storage space on the host device and to provide upgrades more efficiently.…

Sony Data Hack: “You Can’t Lose What You Ain’t Never Had”

By Brian Hall on

Back in the 1960’s, legendary bluesman Muddy Waters wrote a song called “You Can’t Lose What You Ain’t Never Had.”

Now, it is Sony Pictures that is singing the blues, as damages continue to mount following the cyber attack on its data networks just before Thanksgiving. A shadowy group with possible connections to the North Korean government has claimed responsibility for the hack, which, to date, has resulted in exposure of Sony intellectual property (e.g., movie scripts), trade secrets (e.g., film budgets), employee personal information (e.g., employee and former employee home addresses and social security numbers) and other sensitive information (e.g., actor travel aliases and phone numbers).

I’m no cybersecurity expert, but I’m at the point where I seriously doubt any currently available data security technology is totally hack-proof. Who knows, there may have been precious little that Sony could have done to prevent the loss of its intellectual property and trade secret information to determined hackers. Let’s face it, some of the most highly sophisticated corporations and government agencies have been victimized by cyber attacks in the last year. But the same really can’t be said for their employee data.…

What have you done with your data?

By Donna Ruscitti on

Companies have moved in droves to allow hosting partners to store their mission critical applications — along with valuable business information, trade secrets and customer data — in the cloud. Saving money is great, but do you know where all of your data is at all times, and, more importantly, how secure is it? Every cloud deployment should go “eyes-open” into the cloud. No matter where your data is, you are responsible for it and you will be held accountable for a breach in security of the data.

No company should enter into a contract without considering the following, at the very least:

1. Where is the data being stored, meaning where are the servers (computers) physically located? This means, be specific in your contracts: “All Customer Data will be housed in Provider’s servers located in Columbus, Ohio” (or wherever your Provider tells you they are).

2. Does your provider use offshore (i.e. outside the continental United States) data centers, or does it access U.S. data centers from offshore? You may wish to state in your contract that: “If Provider intends store any Customer Data or to provide any services under this Agreement from an offshore location or through offshore personnel, Provider will provide all relevant information to Customer and obtain Customer’s prior written approval.” Why is this? Is off-shore data less secure? Not necessarily, but it may not be possible to get your data back from an international location.…

Texas Federal Court decision illustrates need for BYOD policies

By Brian Hall on

Saman Rajaee was a salesman for Design Tech Homes. He used his personal iPhone to connect to his employer’s Microsoft Exchange Server, which allowed him to access his work-related email, contacts and calendar from his phone. Design Tech did not have a BYOD policy. When Rajaee’s employment terminated, Design Tech remotely wiped his phone, which deleted all of his data, including personal emails, texts, photos, personal contacts, etc.

Rajaee sued under the federal Stored Communications (SCA) and Computer Fraud and Abuse Acts (CFAA) as well as raising various state law claims. Design Tech moved for summary judgment on the federal claims. On the SCA claim, the court held, based on Fifth Circuit precedent, that information an individual stores to his hard drive or cell phone is not in electronic storage within the meaning of the statute.…

Immigration reform may help out tech companies

By Donna Ruscitti on

Our colleagues at Employer Law Report recently discussed how President Obama’s immigration reform measures could affect tech companies whose workforces include non-U.S. residents with H-1B visas. According to a memo from the Department of Homeland Security, the visa application and approval process may become easier for employers and their highly skilled workers. Read more

Coinye West will not take over bitcoin’s reign on cryptocurrency

By Porter Wright on

There’s exciting news in the world of cryptocurrency, the exchange medium that uses cryptography to secure the transactions and control the creation of new units. Bitcoin, created in 2009, was the first cryptocurrency and remains the most popular, though numerous other cryptocurrencies, such as Coinye, have emerged in the interim.

Where can you find cryptocurrency? Certainly not at your local bank.

Cryptocurrency is essentially digital money, a virtual medium of exchange that is not issued, backed, or tied to any particular nation or government. Cryptocurrency derives value through a variety of ways, such as buying either from exchanges, or directly from other people selling them, or try your hand at mining, which requires software you download to your computer.

After obtaining cryptocurrency, such as a bitcoin, the next hurdle is finding someone who will accept the currency in exchange for goods and services — which isn’t as difficult as you might think. Analysts estimate that over 65,000 bitcoin transactions occur every day through electronic transactions. What types of goods and services are exchanged, you may ask? Almost anything from the mundane products, such as electronics or dog apparel, to swanky cocktails or a Tesla, or to the illegal, including drugs and guns. Because purchases occur online through user’s virtual wallets, purchasers can remain anonymous and law enforcement can’t freeze their accounts.

Privacy law in the U.S. and Europe: University of Amsterdam Summer Course explores current issues

By Porter Wright on

On July 7-11, 2014, a group of 25 privacy lawyers met in a historic building overlooking the Keizersgracht, one of Amsterdam’s most beautiful canals, and spent five days learning about U.S. privacy law, European data protection law, and the complex interactions between them. The setting was the Summer Course on Privacy Law and Policy, presented by the University of Amsterdam’s Institute for Information Law (IViR), one of the largest information law research centers in the world. Course faculty included leading practitioners, regulators and academics from both sides of the Atlantic. Course participants came from an even wider geographic area that included Hungary, Greece, Poland, the Netherlands, Hong Kong, Kyrgyzstan, Switzerland, the UK, Belgium and Canada. I was lucky enough to serve as a co-organizer of, and faculty member in, the course. In this post, I describe presentation highlights and identify some cross-cutting themes that emerged during the week.

Dr. Kristina Irion, Marie Curie Fellow at IViR (and the other course organizer) started the course with “An Update on European Data Protection Law and Policy.” The Summer Course does not try to cover every aspect of privacy law. Instead, it focuses on law and policy related to the Internet, electronic communications, and online and social media. In her presentation, Irion analyzed the latest European legal and policy developments in these areas. The most important such development is the proposed General Data Protection Regulation (GDPR) — a major reform proposal that several of the faculty presenters believe will become law …

Beware of the Antitrust Laws’ extraterritorial reach

By Donna Ruscitti on

Our colleagues Jay Levine and Jason Startling recently wrote an interesting post on Porter Wright’s FedSec Law Blog. Though the article covers some interesting international and antitrust issues, the case Jay and Jason focus on is one that many in the technology industry may wish to follow. With technology products in particular, more and more goods are sold outside of the United States, yet seem to find their way back into the U.S. economy — often as a resale product or as part of a finished downstream product. The question that arises for many companies is whether U.S. antitrust law applies to that foreign sale. The article discusses how the  Foreign Trade Antitrust Improvements Act (FTAIA), governs this conduct.…

Florida ramps up data breach notification law

By W. Hunter West and Donna Ruscitti on

The Florida Information Protection Act of 2014, aimed at strengthening Florida’s data breach notification law, goes into effect tomorrow, July 1, 2014. The act contains major changes to Florida’s existing data breach notification statute and makes it one of the toughest in the nation.

Shortened notice period

For example, notice to consumers must be given within 30 days of the discovery of the breach or belief that a breach occurred, unless delayed at the request of law enforcement for investigative purposes or for other good cause shown. Previously, the law allowed 45 days for such notice. Fines may be imposed on private entities for failure to comply with the notice provisions ($1,000 per day for the first 30 days following a violation of the notification requirements; $50,000 for each subsequent 30-day period thereafter; and, if the violation continues for more than 180 days, an amount not to exceed $500,000). The notice requirement applies to personal information contained in any computerized data system and is triggered when unencrypted personal information may have been acquired by an unauthorized person.…

LinkedIn class suit proceeds because endorsement (spam) emails might cause users reputational harm

By Porter Wright on

Have you ever received an email from LinkedIn with the invitation: “I’d like to add you to my professional network.”? If you did not respond, did you receive a reminder email a week later? And another one a few weeks after that? If you did, or if you were one of the LinkedIn users who (inadvertently) sent out one of these “endorsement emails,” then Perkins v. LinkedIn (N.D. Ca. June 14, 2014) is a class action lawsuit against LinkedIn you might want to keep an eye on.

The crux of the complaint, which has been brought by nine individual plaintiffs as a class suit, is that LinkedIn violated several state and federal laws by harvesting email addresses from the contact lists of email accounts associated with the class plaintiffs’ LinkedIn accounts and used the contacts to spam their users’ contacts with LinkedIn ads. The class complaint alleged five causes of action:

  1. violation of California’s common law right of publicity;
  2. violation of California’s Unfair Competition Law (“UCL”);
  3. violation of the Stored Communications Act (“SCA”);
  4. violation of the Wiretap Act; and
  5. violation of California’s Comprehensive Data Access and Fraud Act (“CCDAFC”).

The district court is allowing the case to proceed on the California right of publicity claim, but not on any others. Here is how the court came to that decision.…

Porter Wright announces 2014 Technology Seminar Series

By Donna Ruscitti on

Porter Wright continues its tradition of providing cutting-edge information about how technology affects your business with the 2014 Technology Seminar Series, beginning June 18. This year’s sessions are:

Social media in litigation: a shield and a sword

June 18

The worlds of social media and litigation have collided. Social media evidence is used in employment discrimination lawsuits, in divorce and custody cases, in criminal cases – and intellectual property cases are won and lost based on the information disclosed on social media sites. Like it or not, social media is an aspect of litigation that is here to stay. Sara Jodka, Colleen Marshall and Jay Yurkiw will walk you through how social media affects the way companies prepare for and engage in litigation, including the good, the bad and the ugly. This session will provide guidance about how you can make sure that your company’s social media use will not get the company into hot water. Presenters also will share helpful insights regarding what to do about social media when litigation is filed and identify the biggest social media in litigation hazards.…

Employers can learn from recent cases involving the Federal Trade Commission

By Brian Hall on

Two recent decisions – one from the federal district court in New Jersey and one from a federal Administrative Law Judge – potentially will have significant impact on the Federal Trade Commission’s (FTC) enforcement of business’s data security obligations. (Read more about these cases here and here.)

FTC v. Wyndam Worldwide

In FTC v. Wyndham Worldwide Corporation, the New Jersey federal district court upheld the FTC’s authority to find that a business that has sustained a data breach has committed an “unfair trade practice” in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a) when its privacy controls are found to be inadequate. Over the past several years, the FTC has regulated data privacy and security under Section 5(a) by bringing actions against businesses that have sustained data breaches on the ground that the business has committed a deceptive and/or an unfair trade practice. The deceptive trade practice claim typically alleges that the business has failed to live up to its promises to consumers about how it will secure the privacy of their data. More controversially, however, the FTC also has sought to regulate data security by bringing actions against businesses alleging that they had inadequate data security protections even in the absence of any consumer promises. Until Wyndham challenged the FTC authority, these “unfair trade practice” cases brought by the FTC have settled.…

District court gives the FTC the go-ahead in Wyndham data security enforcement suit

By Jay Levine on

A decision from the U.S. District Court for the District of New Jersey last week affirmed the Federal Trade Commission’s assertion of authority to prosecute data security breaches under Section 5 of the Federal Trade Commission Act. The FTC has increasingly used its authority under Section 5, which makes it unlawful to engage in “unfair methods of competition … and unfair or deceptive acts or practices,” to regulate data security. Two companies, Wyndham Worldwide Corp. and LabMD Inc., have publicly challenged the FTC’s authority over their data security policies (and subsequent lapses). We posted in December about LabMD’s challenge, which remains pending before the FTC. The District of New Jersey, however, has rejected Wyndham’s challenge.

In June 2012, the FTC filed a complaint against Wyndham, alleging that Wyndham used unfair and deceptive practices by failing “to maintain reasonable and appropriate data security for consumers’ sensitive personal data,” which, in turn, exposed customers’ personal and credit card information to hackers in three system attacks between 2008 and 2011, resulting in fraudulent charges to consumers’ accounts totaling $10.6 million.

Wyndham moved to dismiss the complaint, arguing, among other things, that the FTC’s unfairness authority does not extend to data security because:…

LexBlog