Gibbons Law Alert
In Peters v. St. Joseph Servs. Corp., the United States District Court for the Southern District of Texas recently dismissed a class action complaint seeking damages arising out of a data incursion. The Court dismissed the complaint under Federal Rule of Civil Procedure 12(b)(1) for lack of standing without leave to amend, while granting the plaintiff 30 days to raise her state and common law claims in state court.
On December 15, 2014, the New Jersey Assembly voted 75-to-0 to advance a bill that would expand the existing data breach notification requirements for companies doing business in the state. The bill, A3146, would broaden the type of information that, if compromised, would trigger a company’s obligation to notify customers of the breach. The proposal now heads to the Senate, where a similar bill, S2188, has been pending in the Commerce Committee since June.
On September 17, 2014, the Second Circuit issued its long awaited decision in Gucci America, Inc. et. al. v. Li et. al., 2014 WL 4629049 (Appeal Nos. 11-3934 & 12-4557). In its decision, the Court vacated and remanded an August 2011 order compelling nonparty Bank of China (BOC) to comply with a document subpoena and asset freeze provision in an injunction and a May 2012 order denying the bank’s motion to reconsider. The court also reversed a November 2012 decision holding the bank in contempt for non-compliance with the court’s August 2011 order and imposing civil penalties.
The European Union Court of Justice (ECJ) ruled on May 13, 2014 that Google must purge links to personal data appearing on web pages published by third parties if the person who is the subject of that data objects that it is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which [the data] were processed and in light of the time that has elapsed.” Google and other industry voices have already identified numerous concerns with the Court’s ruling, notably the unknown costs and potential disputes over relevancy and staleness of data that could arise as search engines seek to comply with the ruling.
While most trade secrets cases are litigated in civil court, one former Microsoft employee learned the hard way that the theft of trade secrets is also a federal crime. Alex A. Kibkalo, a former Microsoft Corp. employee, was being prosecuted for leaking valuable company trade secrets to a blogger for publication. On March 31, 2014, Kibkalo’s counsel and the prosecution advised a district court judge in Washington that the government and Kibkalo had reached a plea agreement. Pursuant to the terms of the agreement, Kibkalo will spend three months in federal prison and pay Microsoft Corp. restitution of $22,500.
In their latest effort to curb potential consumer privacy abuses, the Electronic Privacy Information Center and the Center for Digital Democracy are challenging the potential misuse of data about WhatsApp users’ data as a result of WhatsApp’s acquisition by Facebook for $16 billion. WhatsApp is a popular App that allows users to send messages without the regular cost associated with SMS text messaging. According to the complaint, the company “processes over 10 billion messages per day from approximately 450 million users.”
On Wednesday, February 12, the White House released the National Institute of Standards and Technology’s (NIST) Final Cybersecurity Framework: a set of industry best practices and standards to help owners and operators of critical infrastructure develop better cybersecurity programs. It is accompanied by a Roadmap which discusses NIST’s next steps with the Framework and identifies key areas of development, alignment, and collaboration. The Framework stems from President Obama’s February 2013 Executive Order on cybersecurity, previously covered on October 1, 2013. The overall core of the Framework is essentially unchanged from earlier drafts, also previously discussed on October 28, 2013.
The National Institute of Standards and Technology (NIST) has just released its Preliminary Cybersecurity Framework: a set of best practices to help owners and operators of critical infrastructure reduce cybersecurity risks. This voluntary framework provides both private and public-sector organizations with a common language for understanding and managing cybersecurity risks internally and externally. The framework stems from President Obama’s February 2013 Executive Order on cybersecurity, previously covered by this blog. The Final Framework is due to be released in February 2014, following a 45-day public comment period on the Preliminary Framework.
Recently, California Assembly Bill No. 370 (AB370) was signed into law by Governor Jerry Brown. AB 370 amends California’s Online Privacy Protection Act of 2003 (OPPA) to require that the privacy policy provided by the operator of a website and online service describe how the operator will respond to consumer-initiated mechanisms for controlling the collection of consumer personally identifiable information (PII).
As practitioners are aware, in February 2013, President Obama issued an executive order directing federal agencies to create a set of voluntary cybersecurity standards and procedures for critical parts of the private sector. If followed, these “best practices” are intended to reduce the risk of a cyber attack and its attendant disruption of business.