Regulatory Enforcement and Litigation

As noted in Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285, previously reported on here, Pennsylvania has firmly adopted the approach that the Risk of Harm is Not Enough in Data Breach Actions. Still, data breaches have become some of the most noteworthy headlines in recent news. An increase in litigation has brought with it efforts to shrink the case load through the Article III requirement of standing. This means that courts are finding that the plaintiffs have not sufficiently established a concrete injury in order to seek remedies from the court. One of the main issues with data breaches is that once the data has been extracted or accessed, it is not necessarily always true that tangible harm will follow. Due to that nature, the Third Circuit established that when it comes to data breach actions, simply the risk of future harm does not suffice to save the claim. The seminal case of Reilly v. Ceridian Corp. held that where no actual misuse is alleged, “allegations of hypothetical, future injury do not establish standing under Article III.” 664 F. 3d 38 at 41 (3rd Circuit 2011).
Continue Reading Pennsylvania Continues to Rely on Third Circuit Holding that the Risk of Harm is Not Enough in Data Breach Actions

On December 31, 2014, the Federal Trade Commission announced that it approved a final order settling charges against Snapchat.

In its complaint, the FTC charged Snapchat with deceiving consumers over the amount of personal data that it collected and the security measures in place to protect the data from disclosure and misuse.

The settlement order

The Federal Trade Commission recently announced that it settled charges against a health billing company and its former CEO that they misled consumers who had signed up for their online billing portal by failing to inform them that the company would seek detailed medical information from pharmacies, medical labs and insurance companies.

The Atlanta-based medical

On October 24, the Federal Communications Commission (FCC) threw its hat into the data security regulation ring when it announced it intends to fine two telecommunications companies $10 million for allegedly failing to safeguard the personal information of their customers.

Both TerraCom, Inc. (TerraCom) and YourTel America, Inc. (YourTel) allegedly collected customers’ personal information, including

The Federal Trade Commission entered into a settlement with the social networking site Twitter on Thursday, June 25th. The settlement was the result two 2009 hacker breaches, which resulted in 35 user accounts (mostly celebrities and politicians) being compromised and passwords disclosed. Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.
Continue Reading FTC Bans Twitter From Misleading Us for 20 Years

It is not often that we come across something that just does not seem possible. Yesterday was one of those days, when the FTC announced that it is working with copy machine manufacturers to either end or severely restrict the existing practice of storing digital images captured on photocopiers. The FTC’s response was in reaction to a letter from Representative Ed Markey (D-MA) after seeing a CBS report last month on the issue.
Continue Reading FTC Concerned About Retention of Scans on Copy Machines

The First Circuit Court of Appeals has ruled that, by accepting credit cards for payment, retailer TJX and its processing bank, Fifth Third, could have negligently misrepresented to credit and debit card issuers that their data security practices were in compliance with the security protocols established by VISA and MasterCard operating regulations. The First Circuit