In a class action with potentially significant impact on data sharing disclosures that companies routinely provide in online privacy policies, the Third Circuit recently ruled that NaviStone, a third party marketing service, was not a “direct party” under the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA) and thus was potentially subject to liquidated damages under that statute for intercepting communications between the plaintiff and the website she had visited.  The interplay between the Third Circuit’s ruling and the potential impact on privacy policy disclosures require some technical background, which we have done our best to summarize.

The plaintiff in Popa v. Harriet Carter Gifts had visited the Harriet Carter Gifts website and begun the process for completing an online purchase of cat stairs.  As occurs during many website interactions, Harriet Carter Gifts sent HTML code to the plaintiff’s browser that caused the plaintiff’s browser to simultaneously send a GET request to NaviStone.  When it received the GET Request, NaviStone sent code to plaintiff’s browser that enabled the installation of a cookie which both identified the browser and tracked plaintiff’s activity on the Harriet Carter website.  This communication stream also enabled NaviStone to facilitate targeted advertising to plaintiff.  The lawsuit alleged that the HTML code re-routing electronic communications to NaviStone constituted an illegal interception under Pennsylvania’s wiretap law. The district court granted summary judgment against plaintiff, but the Third Circuit reversed.

The Third Circuit’s analysis focused on whether NaviStone was a “direct party” to the communications between Harriet Carter and plaintiff, which is an exception recognized by the Federal Wiretap Law as well as the wiretap laws of other states.  Pennsylvania had previously adopted a similar exemption, but did so in the context of law enforcement investigations where police officers had masqueraded as intended recipients of communications.  The Third Circuit ruled that this was the only scenario under which WESCA recognized a direct party exception.  Critical to the Court’s determination that Pennsylvania’s direct party exception was limited to law enforcement was a 2012 amendment to the law that expressly revised the law’s definition of “intercept” to exclude monitoring by law enforcement masquerading as third parties.  Under rules of statutory construction, the Court held that this express limitation foreclosed broader exceptions, thus limiting the scope of the direct party exception.  In other words, only law enforcement officers, under the expressly identified scenarios set forth in WESCA, can avail themselves of the direct party exception.

The Third Circuit’s analysis did not end there, however.  The Court also considered – and rejected – NaviStone’s contention that the interception occurred in Virginia, where the defendant was located, finding instead that the interception occurred at the point where the communication was re-routed to NaviStone, which occurred on plaintiff’s browser.  This ruling thus disposed of NaviStone’s argument that WESCA could not regulate commerce that occurred wholly outside the Commonwealth.   

In response to NaviStone’s “parade of horribles” argument, the Third Circuit noted that its ruling does not necessarily foreclose websites’ usage of cookies or third party marketing companies.  In particular, the Court noted that WESCA provides an all-party consent exception whereby a interception is permissible if all parties to the communication consent.   Which leads to perhaps the key question: did plaintiff consent to NaviStone’s interception of her electronic communications?

NaviStone argued that the Harriet Carter privacy policy disclosed the sharing of personal information with third parties and thus plaintiff impliedly consented to the interception of her communications by NaviStone.  Pennsylvania, like many states, recognizes that prior consent to wiretapping “can be demonstrated when the person being recorded knew or should have known[] that the conversation is being recorded.”  Plaintiff argued that she had neither read the privacy policy nor agreed to its terms.  The Third Circuit ultimately declined to rule on this, remanding the issue to the District Court for further consideration.

The District Court’s pending ruling on whether prior consent can be implied through privacy policy disclosures may have a significant impact on future wiretap cases.  Thousands of U.S. websites are configured with third party code, such as NaviStone’s, to enable digital advertising.  Thirty-eight (38) states, in addition to the District of Columbia, have a wiretap law, and many such laws contain liquidated damages provisions of  $1,000 (or more) per violation.   Eleven (11) states require all-party consent to the recording of conversations. Whether all-party consent can be inferred through the posting of a privacy policy that discloses third party sharing of electronic communications will therefore be a closely watched issue by plaintiff’s attorneys, digital marketers and other third parties that obtain personally identifiable information through cookies and third party data sharing.  Any ruling that does not clearly embrace a broad reading of prior consent may lead to increased wiretap litigation in states with wiretap laws like Pennsylvania.

The CFPB recently published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.

Pursuant to the Gramm-Leach-Bliley Act, the FTC and federal banking agencies have promulgated rules and interagency guidelines requiring financial institutions to establish appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Such safeguards include restricted access to customer information, encryption of information, and periodic reports on the information security program to the board of directors, among other requirements. In the August 11, 2022 circular, the CFPB stated that failure to comply with these specific requirements may also be an unfair act or practice under the CFPA in certain circumstances, but “[w]hile these requirements often overlap, they are not coextensive.” This leaves open the question of what exact security measures companies would need to implement in order to avoid an unfairness violation under the CFPA.

Continue Reading CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice

In an active week for federal regulators, the Federal Trade Commission (FTC) joined the CFPB in announcing important initiatives that may change privacy and data security practices in major ways.

On August 11, the FTC released its Advanced Notice of Proposed Rulemaking, seeking public input on a host of questions relating to what it describes as “commercial surveillance”—or “the business of collecting, analyzing, and profiting from information about people”—in order to determine whether to issue a  new rule “to protect people’s privacy and information in the commercial surveillance economy.”    The FTC’s questions are grouped into several categories, including harm to consumers, harm to children, automated systems, discrimination, consumer consent, and notice, transparency, and disclosure.  The dozens of specific questions range from broad to narrow, but they generally relate to the large amounts of data collected about consumers when they are connected to the internet.  As the FTC explains, its concerns range from data security to bias/discrimination to the inability of consumers to avoid this type of collection and processing.  The FTC also points to concerns about dark patterns, which coerce consumers into sharing personal data.

The FTC’s announcement does not come as a surprise, as Chair Lina Khan has been hinting for months that action would be forthcoming.  However, the formal announcement drew quick blowback from some.  For example, Senator Marsha Blackburn (R-Tenn.), a member of the Senate Commerce Committee, stated that the proposal “is doomed to become another cautionary tale of how the left uses the regulatory state to tear down and rebuild the economy according to their own vision.”  Similarly, FTC Commissioner Christine Wilson warned in her dissent that the FTC’s efforts could derail the ongoing efforts to pass the bipartisan American Data Privacy Protection Act (ADPPA).

The deadline for submitting comments will be 60 days after the notice is published in the Federal Register in the coming days.  The public will also have an opportunity to share their input on these topics at a virtual public forum on September 8, 2022.  But as Commission Wilson’s warning may indicate, the announcement alone could have impacts on the negotiations relating to the ADPPA even before the comment period ends.  In any event, companies should consider themselves on notice that the FTC plans to continue its focus on analytical tools, online collections, and use or sale of profiles derived from that information.

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations.  The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.

The Amendments contain three significant changes relating to ransomware.  First, the Amendment specifically adds “the deployment of ransomware within a material part of the covered entity’s information system” as a cybersecurity event requiring notice to the superintendent within 72 hours.  Under the current regulations, 72-hour notice would only be required if the ransomware required notice to another governmental body or had a reasonable likelihood of materially harming any material part of normal operations.  Second, the Amendment would also require covered entities to notify the superintendent within 24 hours of making an extortion payment.  And finally, the Amendment would require covered entities to provide within 30 days a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.  If passed, this third component would represent a significant new obligation for covered entities, potentially changing the manner in which companies document ransomware responses.

In addition to the ransomware changes, the Amendments would also require, among other things: (1) multi-factor authentication for all privileged accounts, as well as for remote access to the network and enterprise and third-party applications from which nonpublic information is accessible; (2) increased expectations for board expertise; (3) significant restrictions on privileged accounts; and (4) annual independent cybersecurity audits for larger entities.  The Amendments have a short comment period ending on August 8, 2022, followed by the publishing of the official proposed amendments, after which a 60-day comment period will occur.

Given the comment periods that will occur, it is premature to speculate as to the final form of the Amendments.  However, based on the draft Amendments, it is safe to say that the NYDFS seems to be following the trend towards increased regulatory scrutiny.  Covered entities should start assessing how significant the changes would be to comply.

The California Privacy Protection Agency announced today that it began the formal rulemaking process to adopt the proposed regulations implementing the Consumer Privacy Rights Act of 2020 (“CPRA”).  As part of this announcement, the Agency released the following link to the Proposed Regulations and supporting documents.

The Agency will hold a public hearing for comments at 9:00am PST, August 24 and 25. Those wishing to submit written comments on the proposed regulations must submit them by August 23 at 5:00pm PST.  Those wishing to attend should RSVP by clicking this link.

Ballard Spahr will continue to provide updates as more information becomes available.

On June 23, 2022, the Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective (SRP) for spring 2022.  In the SRP, the OCC opines on its current safety and soundness concerns for banks under its regulatory umbrella, focusing on Russia sanctions, climate-related risk, and rising inflation.  Despite these challenges, the OCC believes that “[b]anks’ financial condition remains strong and positioned to deal with the economic headwinds.”

Of special note, the OCC also believes compliance risk is “heightened” for Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) compliance because of world events and compliance staffing concerns.  In addition, the OCC warns that banks face an “elevated” risk of cyber attacks and fraud or cybersecurity risks related to digital assets.

BSA/AML Compliance Risks

The OCC devotes a paragraph to discussion of BSA/AML and OFAC concerns related to “environmental crimes.”  The OCC decries the climate risk and pollution caused by such crimes.  And, echoing the Financial Crimes Enforcement Network (FinCEN) recent notice on the same topic, the OCC cautions that environmental crimes “have a strong association with corruption and transnational criminal organizations.”  We have blogged about this topic several times in several facets, noting how these crimes are estimated to create hundreds of billions in illicit funds each year.  Like FinCEN, it appears that the OCC has this near the top of their priority list.

The OCC then zeroes in on another perennial concern: fraud in government relief programs.  Citing the Covid-19 pandemic and “recent natural disasters,” the OCC typifies fraud stemming from government relief programs as a “significant risk.”  Predicting that natural disasters will become more, rather than less, common, the OCC predicts long-term increased risk of fraud and urges banks to include both environmental crimes and government relief fraud into long-term planning and risk assessments.  The OCC clearly thinks that BSA/AML and OFAC concerns will continue to haunt government relief programs.

In the first SRP since the Russian invasion of Ukraine, the OCC reminds banks that they must “assess the applicability” of the “complex and evolving” Russia sanctions “on their institutions and customers.”  The OCC urges banks to consider both the impact on branches here and abroad as well as overseas offices and subsidiaries.  Hearkening back to two March FinCEN alerts (here and here) on which we blogged (here and here), the OCC warns banks to “be vigilant against potential efforts to evade” sanctions and reminds banks that suspicious transactions may involve “real estate, luxury goods, and other high-value assets of sanctioned Russian elites and their family members and associates.”  The OCC urges banks to use this as a springboard to increase efforts to detect foreign public corruption and kleptocracy.

The SRP notes that these compliance risks are currently more difficult to respond to because “[b]ank compliance functions also are experiencing challenges retaining and replacing staff.”  It is no surprise that banks, like many other employers, are finding it difficult to hire and retain talent.  The SRP warns that “lack of access to subject matter expertise,” funding cutbacks, over-reliance on third parties to assist in these critical functions, and telework are exacerbating compliance risk.

Cybersecurity Risks

The OCC has long been concerned with operational risks posed to banks from cyber attacks.  The SRP now estimates that operational risks to banks remain “elevated” because cyber attacks continue to “evolve” and “become more sophisticated.”  Specifically, the OCC notes an increase in distributed denial of service (DDoS) attacks and ransomware campaigns directed at the financial services sector, including banks.  We noted the increase in ransomware attacks and ransomware-related SARS discussed in FinCEN’s October 15, 2021 financial trend analysis on ransomware. 

The OCC suggests “heightened threat monitoring” and “greater public-private sector information sharing” as two methods to combat DDoS and ransomware attacks.  The OCC states, as a practical matter, that banks should implement and regularly test backup systems to ensure operational resilience and require multifactor authentication and “timely patch management” to make it harder for cyber attackers to gain access.  These echo the suggestions of the Cybersecurity and Infrastructure Security Agency, a government agency within the Department of Homeland Security, in their recently announced Shields Up initiative.

Risks of Engaging with New Technologies, Including Distributed Ledger Technologies and Digital Assets

Finally, the OCC devotes significant time to cybersecurity and fraud risks related to digital assets.  While the OCC recognizes that new technologies, including distributed ledger technologies and digital assets, “can offer many benefits to both banks and their customers” the OCC believes new technologies are a common target for fraudsters.  Citing this risk of fraud and the possibility of cyber attacks, the OCC provides a number of suggestions for banks considering engaging with digital assets:

  • Banks should ensure that they have sufficient knowledge and expertise in the digital assets and the technology before engaging in new activity with digital assets;
  • Banks should pay special attention to distributed ledger or digital assets companies “delivering banking and bank-like products and services”;
  • Banks should consider their size, complexity, and risk profile before engaging in new activity with digital assets;
  • Banks should engage in “appropriate due diligence, change management, and risk management processes” prior to engaging in new activity with digital assets;
  • Banks may need to consider whether “additional or different controls [are needed] to safeguard against fraud, financial crimes, violations of sanctions requirements and consumer protection and fair lending laws, and operational errors”; and
  • Finally, before engaging in certain activities with digital assets, banks supervised by the OCC should first obtain non-objection.

The SRP’s bottom line: banks should be deliberate and do their due diligence when engaging with new technologies, including distributed ledger technologies and digital assets.

The OCC also promises greater clarity on regulation of digital assets to come in the future, likely a reference to the Sprint Initiative the OCC is engaged in with the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation, on which we previously blogged.  The OCC is currently working to “develop a common vocabulary of terms” and “use cases and risks” to create “policy and supervision considerations” for digital assets for banks.  With only another vague reference to coming regulations, it remains to be seen what shape they will take and when they will be unveiled.

In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant a federal insurance response, and to inform Congress of the results of their assessment. CISA is the primary risk advisor on critical infrastructure, and FIO is the federal monitor of the insurance sector.

The GAO prepared this report pursuant to the Terrorism Risk Insurance Program Reauthorization Act of 2019, which, among other things, directed the GAO to conduct a study on: (1) the risks and potential costs of cyberattacks to U.S. public and private infrastructure; (2) whether states’ definition of cyber liability under a property and casualty line of insurance is adequate coverage for an act of cyber terrorism; (3) whether such risks can be adequately priced by the private market; and (4) whether the risk-share system established under the Terrorism Risk Insurance Act of 2002, which created the Terrorism Risk Insurance Program (TRIP), is appropriate for covering cyber terrorism events.

In the report, the GAO highlighted the significant and growing cybersecurity risks facing U.S. critical infrastructure and examined how the insurance market against cyberattacks is evolving, often in a way that means less coverage against potentially catastrophic financial losses. The report noted that although cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware, private insurers have been taking steps to limit their potential losses from cyberattacks with systemic effects. Coverage under TRIP, which requires the federal government to share certain insured losses with private insurers in the event of an act of terrorism, is limited to attacks that meet certification criteria specified by the program, among other requirements. As the GAO notes, even very large cyberattacks on critical infrastructure resulting in catastrophic losses and risk to national security might not be covered if they do not meet all the certification criteria. For example, one criterion is that the event must be a “violent act or an act that is dangerous” to human life, property, or infrastructure. Even though a data breach or denial of service attack may result in stolen data or IT system disruption, it may not necessarily be a violent act or dangerous to human life, property, or infrastructure. To date, the federal government has not certified any such acts of terrorism.

The report also noted that while CISA and FIO have taken some steps to understand the financial implications of cyber risk, neither agency has fully assessed the extent to which the risks to the nation’s critical infrastructure from catastrophic cyber incidents, and the potential financial exposures from these risks, warrant a federal insurance response. In their comments to the report, both DHS and Treasury agreed with the GAO’s recommendation to work together to produce such an assessment for Congress. DHS stated that it would review the aggregate data generated by incident disclosures under the Cyber Incident Reporting for Critical Information Act of 2022 (previously discussed here), once available, and work with Treasury in the interim to determine other data needed. Treasury confirmed that it had reached out to DHS to begin collaboration on this effort.

The Third Circuit recently issued an opinion upholding the federal cyber-stalking statute against a constitutional challenge in United States v. Ho Ka Yung. Yung was convicted of cyber-stalking after he instituted a campaign of harassment against a Georgetown Law alumnus interviewer and his family. Though he pled guilty, Yung preserved the right to appeal his conviction on the grounds that 18 U.S.C. §2261(A)(2), the federal statute criminalizing cyber-stalking, is unconstitutional because it criminalizes speech protected by the First Amendment. The Third Circuit upheld Yung’s conviction, finding that a narrower reading of the statute prevented the majority of protected speech from being swept into its purview.

The facts of this case serve as stark example of the real harm that can be inflicted through online behavior.

A year after being denied admission at Georgetown Law, Yung began a campaign of harassment online against the Georgetown alumnus who had interviewed him as part of the application process. Yung published false obituaries for the interviewer’s wife and son, created false social media profiles associating the interviewer with the Ku Klux Klan, and published blog posts in the interviewer’s name that bragged of raping women, a boy, and an eight-year-old girl. Yung posed as a female Georgetown applicant, accusing the interviewer of sexual assault. Yung’s harassment also targeted the interviewer’s family. Impersonating the interviewer’s wife, Yung published online ads, in one instance seeking a sex slave and instructing a man who responded to spy on the family, and in another instance claiming that she wanted men to use weapons to physically threaten her before initiating forcible sex. As a result of some of these ads, unknown men came to the interviewer’s home in the middle of the night on three consecutive nights. The online harassment caused real-life threats to the family’s safety.

In his First Amendment challenge, Yung did not argue that the conduct he was convicted for was protected by the First Amendment. Instead, Yung argued that the statute as a whole should be struck down for overbreadth because a significant portion of what it criminalizes is protected conduct. Statutes will only be found facially invalid when they prohibit a wide range of constitutionally protected activity in relation to their legitimate sweep. Courts are reticent to invalidate entire statutes, and as the Third Circuit demonstrated this week, the principle of constitutional avoidance dictates that when several interpretations are available, courts should choose the one that permits a statute to withstand a constitutional challenge.

The challenged federal cyber-stalking statute contains three elements. A person can be convicted if they (1) “use [] the mail, any interactive computer service or … system …, or any other facility of interstate or foreign commerce” at least twice, (2) do so “with the intent to kill, injure, harass, intimidate, or place under surveillance with intent to kill, injure, harass, or intimidate another person,” and (3) put the victim “in reasonable fear of … death … or serious bodily injury,” or “cause[], attempt[] to cause, or … be reasonably expected to cause substantial emotional distress.” §2261(A)(2). Yung argued that this statue was unconstitutionally overbroad because it would criminalize mere online “trolling,” including large amounts of constitutionally protected speech like harsh political criticism or negative reviews of literary or artistic endeavors.

In its decision this week, the Third Circuit acknowledged that this broad reading is a plausible – if not the most natural – interpretation of the statute. Both “harass” and “intimidate” can be defined to cover a range of conduct that would clearly be protected by the First Amendment. Nonetheless, applying the doctrine of constitutional avoidance, the court interpreted both terms narrowly. The court held that to “intimidate” for the purposes of §2261(A)(2), a defendant must have put the victim in fear of bodily injury; to “harass,” the defendant must “distress the victim by threatening, intimidating, or the like.” Under these definitions, which the court referred to as “criminal” definitions of harassment or intimidation, the statute is not unconstitutionally overbroad.

While the facts of Yung exemplify the need for regulation of online behavior, the questions raised by the appeal demonstrate the challenges of drawing appropriate contours for that regulation.

The intent, action, and result elements of the cyber-stalking statute were all clearly met in Yung. Yung created countless pieces of threatening and abusive content targeting his victim, and he intentionally sent people to harass and threaten his victim’s family. In many cases, however, real harm will be effected online where one or more of the statute’s elements are murkier. The Third Circuit’s refined definitions of criminal harassment and intimidation may govern those cases, but the questions about how and where to draw the line when regulating online speech will continue to challenge courts. This week’s decision affirms that the constitution permits the government to use intent to intimidate or harass as tools for drawing that line.