Photo of Christine Nielsen Czuprynski

The EU-U.S.  Privacy Shield has come under scrutiny once again after 17 civil society organisations (the Coalition) sent a letter to the European Commissioner for Justice and Consumers.

The 28 February 2017 letter raises the issue as to the breadth of Section 702 of the FISA (Foreign Intelligence Surveillance Act) Amendments Act (FAA), which provides

The Telephone Consumer Protection Act (“TCPA”) applies in many circumstances when companies use an automatic telephone dialing system (or “autodialer”) and/or pre-recorded messages to call consumers. In those situations where the TCPA does apply, the company cannot make the call unless it is an “emergency,” or unless the company has the prior express consent of the called party.  The Federal Communications Commission (“FCC”) has the power to exempt certain categories of calls from the TCPA’s requirements.

The TCPA is vigorously enforced by the FCC and has also been the source of extensive class action litigation, including suits against utilities. Any violation of the TCPA can subject the calling company to statutory damages of $500 to $1,500 per call.  Those statutory damages can quickly add up to millions or tens of millions of dollars in liability.  Given this regulatory framework and potential liability, entities have petitioned the FCC for clarification regarding definitions in the TCPA and the application of the law to certain types of telephone communications.

The Edison Electric Institute and American Gas Association recently filed a petition with the FCC (the “EEI/AGA Petition”), seeking confirmation that “under the TCPA, providing a wireless telephone number to an energy utility constitutes ‘prior express consent’ to receive, at that number, non-telemarketing, informational calls related to the customer’s utility service, which are placed using an autodialer or an artificial or prerecorded voice.” The FCC has previously found that a consumer providing his or her telephone number signifies prior express consent to be called on that number for purposes that relate to the reason the number was provided.  For example, providing a phone number on a credit application signifies prior express consent to be called on that number for purposes related to that credit account.  The EEI/AGA sought clarification that such guidance applied in the context of providing telephone numbers to utility companies.

In a declaratory ruling released August 4, 2016, the FCC granted the EEI/AGA Petition. The FCC found that:  “in the absence of facts supporting a contrary finding, prior to the termination of a customer’s utility service, a customer who provided a wireless telephone number when he or she initially signed up to receive utility service, subsequently supplied the wireless telephone number, or later updated his or her contact information, is deemed to have given prior express consent to be contacted by their utility company for calls that are closely related to the service[.]”Continue Reading The FCC Clarifies Prior Express Consent Under the TCPA for Calls to Utility Company Customers

On July 14, the Second Circuit in Microsoft v. United States ruled that the Stored Communications Act (SCA) “does not authorize a U.S. court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.”

The Justice Department sought and obtained a warrant under the SCA against Microsoft, seeking the contents of an email account on the grounds that the account was being used in furtherance of narcotics trafficking. Microsoft complied with the warrant by producing non-content information, but moved to quash the warrant as to the content because the content was stored on servers located in Ireland.  The U.S. District Court for the Southern District of New York denied the motion to quash, and ultimately held Microsoft in contempt for its failure to comply with the warrant.
Continue Reading The Stored Communications Act’s Warrant Provisions Do Not Apply Extraterritorially

Higher education institutions are increasingly targets of data breaches due to the vast amount of private information, including educational, medical and employee data, they maintain.  It is no longer a question of if a data breach will occur, but when.  Academic institutions can take certain measures to minimize exposure in the event of a breach,

The Declaratory Ruling and Order issued by the Federal Communications Commission (“FCC”) July 10, 2015,  clarified several sections of the Telephone Consumer Protection Act (“TCPA”), including addressing a petition filed by the American Association of Healthcare Administrative Management regarding “free, pro-consumer… healthcare-related messages,” and under what circumstances such messages are exempt from the TCPA’s

On August 24, 2015, the Third Circuit, in a highly anticipated ruling, upheld a 2014 New Jersey District Court decision that the FTC has authority under section 5 of the FTC Act to regulate “unfair” data security practices without engaging in formal rulemaking.  As we have previously discussed, the implications of the lower court ruling, and now this ratification by the Third Circuit, are far-reaching.

After oral argument in March 2015, it appeared that the Third Circuit might be questioning just how far the FTC’s unfairness authority extends.  One of Wyndham’s arguments, articulated in its motion to dismiss that was in front of District Judge Esther Salas, was that the Congress never intended to allow the FTC to use the unfairness prong of its authority to reach negligent behavior that was not additionally fraudulent.  Judge Salas disagreed with that argument, noting during oral arguments that if Congress had not intended the FTC to wield such power, Congress would have acted years ago when it saw the FTC overstepping its authority.  During oral arguments in front of the Third Circuit, Circuit Judge Thomas L. Ambro seemed to back Wyndham’s argument, stating that the FTC was meant to use its authority to pursue routine fraud cases, and not those involving the outer limits of consumer harm.  The decision, though, makes clear that the Third Circuit does not believe that the FTC has overstepped its authority in its regulation of unfair data security practices.
Continue Reading Third Circuit Upholds FTC’s Authority in Wyndham Case

Perturbed by two allegedly unwanted faxes, Arnold Chapman brought a putative class action under the Telephone Consumer Protection Act (“TCPA”). For himself, he sought the most the statute could provide – $3,000, an injunction, and costs. ($3,000 represents $500 in statutory damages for each of the two faxes, trebled for an allegedly knowing or wilful violation.) The defendant offered Chapman $3,002, and the entry of an injunction, and costs. Chapman let the offer expire without accepting it. The District Court dismissed the case as moot.

Chapman appealed, and late last week, the Seventh Circuit reversed the lower court ruling. In Arnold Chapman v. First Index, Inc., the Seventh Circuit held that an expired offer of judgment does not moot an individual plaintiff’s claims. In so ruling, the panel reversed circuit precedent and aligned itself with the Second, Ninth, and Eleventh Circuits on the issue.Continue Reading What Do You Get for the Plaintiff Who Has Everything? Maybe a Class Action, Ruled The Seventh Circuit

A panel of the Seventh Circuit Court of Appeals (Wood, C.J., Kanne, J. and Tinder, J.) has reversed the dismissal of a data security breach class action lawsuit against luxury department store Neiman Marcus.

This lawsuit stemmed from a hacking incident in which “350,000 cards were potentially exposed; and 9,200 of those 350,000 cards were known to have been used fraudulently.” The company provided notices to consumers and a year of free credit monitoring. A number of class action lawsuits were brought by consumers, consolidated into the lawsuit Hilary Remijas v. Neiman Marcus Group, LLC. “The plaintiffs point to several kinds of injury they have suffered: 1) lost time and money resolving the fraudulent charges, 2) lost time and money protecting themselves against future identity theft, 3) the financial loss of buying items at Neiman Marcus that they would not have purchased had they known of the store’s careless approach to cybersecurity, and 4) lost control over the value of their personal information.”

The trial court dismissed the case for lack of Article III standing under Rule 12(b)(1) and declined to rule on defendant’s Rule 12(b)(6) argument. The Seventh Circuit found that at least some of plaintiffs’ alleged injuries passed Constitutional muster, even under the standards set forth in cases like Clapper v. Amnesty International USA.
Continue Reading Seventh Circuit Revives Data Security Breach Class Action Against Neiman Marcus: Finds Article III Standing In Class Expenses “Resolving Fraudulent Charges and Protecting…Against Future Identity Theft.”

On July 7, 2015, attorneys general from 47 states and territories sent a letter to Congressional leaders urging them to consider federal data breach notification legislation that does not preempt the states. The move comes on the heels of a data breach announcement made by the Office of Personnel Management, and renewed interest on the

Reed Smith and the International Association of Privacy Professionals (IAPP) have teamed up again for IAPP’s Privacy Advisor series highlighting state attorneys general and their interest in privacy and data security. In last week’s newsletter, the Privacy Advisor focused on the work of Illinois Attorney General Lisa Madigan, who has been active in this