District judge in the SDNY: Embedding links to third-party web content is copyright infringement

Copyright holders have an exclusive right to display images and other works. For the last 10 years, news organizations and other website operators have relied on the Ninth Circuit’s opinion in Perfect 10, Inc. v. Amazon.com Inc., which established a bright-line server test for determining whether a website displayed a copy of an image, and thus potentially infringed upon the owner’s copyright in that image. Under the server test, a website operator displays an image if it sends a copy of the image from its server to the end user’s browser, but does not display an image if it merely embeds instructions (HTML) in its webpage that enable the end user’s browser to request the image from a third party’s server.

On February 15, 2018, in Goldman v. Breitbart News Network, LLC, District Judge Katherine B. Forrest of the Southern District of New York rejected the server test, throwing the door open to new copyright infringement suits in the Second Circuit and beyond. The moving defendants (which did not include Breitbart) had sought summary judgment on the issue whether embedding a link to an image constituted infringement. The court held that the defendants’ websites had displayed an image by embedding instructions in their webpages that enabled browsers to request an image owned by the plaintiff – a photograph of football player Tom Brady and others – from a third-party Twitter account. Under the court’s ruling, the defendants are liable for infringement unless they prevail on their defenses (such as fair use). Even if the district court’s partial liability ruling does not reach the Second Circuit, additional copyright infringement suits based on embedding are certain to follow, eventually leading to further review and possibly a circuit split that could wind up in the U.S. Supreme Court. Continue Reading

The FTC’s black-box determination of information’s sensitivity imperils First Amendment and due-process rights

A Washington Legal Foundation legal opinion titled “The FTC’s Black-Box Determination of Information’s Sensitivity Imperils First Amendment and Due-Process Rights” and written by Gerry Stegmaier, Wendell Bartnick, and Kelley Chittenden illustrates the troubling fact that although businesses are tasked with implementing “reasonable” data security that hinges, in part, on the sensitivity of information, the Federal Trade Commission (FTC) has never explicitly defined what “sensitive information” actually is. Instead, the FTC deems various categories as sensitive in a patchwork fashion without the benefit of industry or consumer input, leading to serious constitutional and pragmatic policy concerns. Rather than a “we know it when we see it approach,” the legal opinion suggests potential solutions, including formally designating a list of data types and basing sensitivity determinations on factors such as information’s propensity to cause harm, context, public exposure, accuracy, relevance, and currency.

To read the legal opinion, click here.

Cloud before the storm: Lloyd’s of London report forecasts cloud outage with a chance of multibillion dollar losses

On Tuesday, January 23, Lloyd’s of London co-published a report with AIR Worldwide highlighting the significant financial fallout that could occur in the event of a cyber incident or shutdown of a cloud computing provider in the United States, noting that losses could be to the tune of about $19 billion – of which only about $3 billion would be covered by insurance.[1]  The report calls attention to the rise in businesses’ integration with and reliance upon cloud computing services (particularly when fewer providers are gaining greater market share), and the rise in commensurate and systemic cyber risk and potential gaps in insurance coverage.

The report examined 12.4 million businesses that rely on cloud computing, ranging in industries from manufacturing to wholesale and retail trade to transportation, storage, finance and insurance. The report states that “[g]iven the state of the cyber insurance industry today, a cyber incident that takes a top three cloud provider offline in the US for 3-6 days would result in ground-up loss central estimates between $6.9 and $14.7 billion and between $1.5 and $2.8 billion in industry insured losses.”[2]  Among those businesses examined, the report states that smaller, non-Fortune 1000 companies would likely sustain the biggest losses. The report also noted that losses from reputational damage, customer trust and competitive disadvantage would significantly compound the consequences of such an incident.

The risk of cloud failures stems from the numerous ways in which failures could occur, from targeted malicious attacks to employee error – and criminal exploitation of employee error – and can result in loss of production data, limited access or inability to authenticate uses or other forms of interrupted service.  From a cybersecurity perspective, it is important for both cloud providers and the businesses that use them to optimize infrastructure and design their system engineering architectures and incident response plans to be as resilient and aware of these risks as possible, and to consider the level of access cloud providers provide to their security and operations teams in the event of an incident.

From an insurance perspective, it is equally important for businesses that rely on cloud computing services to contemplate such risks ahead of time and incorporate them into their insurable risk management program, including adequate cyber coverage. Comprehensive cyber policies continue to evolve and may vary widely in scope from insurer to insurer. Some insurers’ policy forms include cloud computing coverage, but others will only add the coverage by endorsement and may require an addition application and underwriting process.  Companies that have cyber coverage, or those considering placing cyber coverage, should identify their cloud computing and vendor-based risks and review any placed or proposed cyber policies to ensure that the policies will respond to those risks. Companies should further review the discovery and notification requirements of their cyber policies to ensure that timely notice will be provided.

Furthermore, policyholders should consider the ancillary effects, like potential follow-on litigation from customers or shareholders, when attempting to quantify the core risks outlined in the report. As noted by Lloyd’s and AIR, “cyber insurance is an emerging market that is outperforming most existing lines of business but this growth track can only be sustained if society’s understanding of the nature of risk continues to grow as well.”[3]  Thus, companies should review all other potentially applicable polices, such as directors’ and officers’ liability, business interruption and professional liability policies, to determine how those policies may respond in the event of a cloud computing incident.  As organizations look to build comprehensive and effective cyber incident response plans while simultaneously increasing reliance upon external services like cloud providers, it is increasingly important to understand all available and necessary coverage as part of a thorough approach to mitigate risks that will only continue to grow.

  1. lloyds.com
  2. lloyds.com
  3. lloyds.com

Full quilt: The final two states without data breach laws push forward to complete the patchwork protecting personal information in the U.S.

There are currently only two U.S. states that do not have a state data breach notification law: South Dakota and Alabama. Recently, South Dakota took a big step toward approving a data breach notification law. On January 25, 2018, the state’s Senate Attorney Judiciary Committee advanced the bill after a 7–0 vote, sending it to the South Dakota House of Representatives for consideration.

In addition to the standard data elements that are considered by most states with data breach laws, South Dakota Bill No. 62 follows the pattern of other states that are now looking to broaden the definition of “personally indentifiable information” to include elements such as biometrics. Notification will need to be provided without unreasonable delay and no later than 45 days after the breach has been discovered. In addition, when breaches impact more than 250 SD residents, an entity is required to notify not only customers but also the state attorney general’s office.

Like many other state breach laws, SD Bill No. 62 does not require notification in instances where the data that has been compromised is encrypted and the unauthorized party does not have the encryption key. Furthermore, if the breached entity, in conjunction with the state attorney general, determines residents would unlikely be harmed as a result of the breach, notification will not be required.

In a recent column published in the “Guest Voices” section of “AL.com,” Alabama Attorney General Steve Marshall addresses the Alabama Data Breach Notification Act of 2018, a bill a crafted by his office that “requires the entity to notify consumers within a reasonable time after it has determined that a consumer’s personally identifying information has been accessed and is likely to cause the consumer harm. If the data breach involves the information of more than 1,000 individuals, then notice must be given to the Attorney General’s Office as well.”

Based on the increase in high-profile data breaches, 2018 certainly looks to be the year that all 50 U.S. states will finally have their own data breach law to protect consumers. Only time will tell.

Massachusetts Attorney General announces new data breach reporting tool and database

Massachusetts Attorney General (AG) Maura Healey has announced that the state will offer an online portal where businesses can more easily report that they have experienced a data breach. Massachusetts will also offer consumers an electronic database to view reported breaches, similar to the online repositories operated by California, Maryland and other states. Affected companies will still have the option of providing hard-copy notifications to the state, as they do now.

Forty-eight states and D.C. have data breach notification laws (and if South Dakota’s bill is signed into law, it will be 49 states). Many of these laws have provisions requiring notice to the AG and/or allowing for AG enforcement, and state law enforcement officers have been heavily involved in data breach actions. Also extremely engaged in data breach litigation is the plaintiffs’ bar, which has been known to monitor state breach databases for potential lawsuits, using them as a roadmap for complaints.

For a more detailed look at the privacy and data security enforcement priorities of AG Healey, who is one of the thought leaders among AGs nationwide on these issues, check out our interview with her on the website of the International Association of Privacy Professionals.

“An interview with Utah AG Sean Reyes”

Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with Utah Attorney General Sean Reyes. AG Reyes is well known as a bipartisan thought leader among AGs on the issues of privacy and cybersecurity. In the interview, he explores what we can expect in 2018 from his office and from other state AGs on these hot-button issues.

The article is available on the IAPP website.

Four months until GDPR: Which EU countries are ready? How relevant are these laws?

The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. It will attempt to standardize data protection law throughout the European Union. The GDPR will not be fully harmonized since the law has more than 70 opening clauses that will leave room for the EU Member States’ legislators to implement (stricter, less strict, or more detailed) rules. Reed Smith, along with partner law firms from every EU Member State, has drafted an overview of each Member State’s local GDPR laws.

To learn more about each EU Member State’s current status, click here.

Defendant cites data breach investigation conclusions in discovery response, resulting in the Sixth Circuit finding “Sword and Shield” waiver of attorney-client privilege

The U.S. Court of Appeals for the Sixth Circuit recently ruled that a data breach defendant waived its attorney-client privilege for investigation-related communications with counsel after disclosing investigative findings in discovery request and relying on the findings to assert affirmative defense. The attorney-client privilege is a powerful tool, but it must be handled with care.

To learn more about this case, click here.


Warning light: The FTC is monitoring the connected car marketplace

In a recently published “Staff Perspective,” the Federal Trade Commission (FTC) appears to be staying true to the regulatory humility approach Acting Chairman Maureen K. Ohlhausen underscored in her opening remarks to the connected cars and autonomous vehicles workshop the FTC co-hosted with the National Highway Traffic Safety Administration (NHTSA) last summer. The Consumer Protection Bureau of the FTC ultimately distills the privacy and data security workshop that covered a wide range of existing and future connected car technologies from infotainment systems such as GM’s new Marketplace feature to vehicle-to-vehicle and vehicle-to-infrastructure (such as traffic lights and cameras) communications capabilities to fully automated “driverless” vehicles down to the following takeaway: Connected vehicles will generate – and businesses will collect – a vast amount of aggregated, non-sensitive and sensitive data, which may lead to privacy risk due to unexpected uses and data security risk.

Continue Reading

Bitcoin’s Blocksize Debate Continues

As Bitcoin’s (BTC) popularity continues to grow, its network built on 1MB blocks struggles to keep up with the growing number of transactions. Two groups within the Bitcoin community, the “Big Blockers” and “Decentralists,” disagree on how to address the blocksize issue. Big Blockers are focused on realizing Bitcoin’s potential to serve as a cash alternative and compete with traditional payment systems; but Decentralists fear that increasing the blocksize will compromise Bitcoin’s security by placing control in the hands of fewer stakeholders, and expose it to government regulations that will jeopardize its censor-free qualities. A group of developers attempted to resolve the issue in November 2017 by increasing Bitcoin’s blocksize to 2MB with an update dubbed “SegWit2X.” SegWit2X ultimately failed, proving too controversial; but the discussion surrounding the proposal highlights each group’s position, and the important ramifications the blocksize debate has for Bitcoin’s future.  Click here to read more on the issued Client Alert.