Internet of Things (IoT)

California is once again poised to set the standard for privacy and data security by enacting the first state law directed at securing Internet of Things (IoT) devices. The law has passed the state legislature and is awaiting the signature of Governor Jerry Brown. It requires manufacturers of “connected devices” to equip them with “a reasonable security feature or features” that are:

  • appropriate to the nature and function of the device;
  • appropriate to the information the device may collect, contain or transmit; and
  • designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.

Continue Reading California Poised to Enact Internet of Things Information Security Law

 

We’ve previously blogged about the creative efforts of plaintiffs’ counsel to expand the contours of data breach litigation.  Thus far those results have had mixed results, as courts continue to dismiss data breach litigation on Article III standing grounds – although less frequently in the case of breaches involving malicious activity. A recent ruling from the Southern District of Illinois however may have blown open a new, potentially wide front in breach litigation. Continue Reading Fiat-Chrysler Ruling May Pave the Way for Overpayment Class Actions Based on Security Flaws

On June 27, 2018, Ballard Spahr partner David Stauss will speak at the Practicing Law Institute’s inaugural Internet of Things Conference in San Francisco. The full-day conference is also available via webcast.

The program will bring together industry leaders to discuss various issues with the rapidly changing landscape of IoT devices.  In his panel, “Cybersecurity & Privacy: What are the Risks of IoT Devices and how Privacy Rights can be Protected,” Mr. Stauss and his co-panelists will explore the emerging government and industry regulation surrounding IoT devices, including FTC action and guidance and proposed state, federal and international laws and regulations.

Ballard Spahr has two complimentary passes available for the conference. Interested individuals should email Mr. Stauss directly at staussd@ballardspahr.com.

Plaintiff lawyers’ continued search for damage theories to assert in claims arising from a data breach – or fear of a breach – received a potential setback this week when Chief Judge Michael Reagan of the United States District Court for the Southern District of Illinois permitted Fiat Chrysler and Harmon International to seek an interlocutory appeal of the court’s earlier ruling in Flynn v. Fiat Chrysler US that class plaintiffs had standing to bring their “car hacking” claims in federal court.  The ruling comes just one month before the scheduled start of trial. Fiat Chrysler and Harmon moved for an appeal after the Ninth Circuit ruled in a similar case, Cahen v. Toyota Motor Corp, that plaintiffs did not have standing to pursue diminution in value damages against Toyota based on a fear that the vehicles were susceptible to hacking.   Continue Reading Fiat Chrysler Car Hacking Case Put In Neutral

The U.S. Consumer Product Safety Commission (CPSC) recently announced that it will hold a hearing on May 16, 2018, to receive information on potential hazards with Internet of Things (IoT) products.

In its public notice, the CPSC explained that the “purpose of the public hearing . . . is to provide interested stakeholders a venue to discuss potential safety hazards created by a consumer product’s connection to IoT or other network-connected devices; the types of hazards (e.g., electrical, thermal, mechanical, chemical) related to the intended, unintended, or foreseeable misuse of consumer products because of an IoT connection; current standards development; industry best practices; and the proper role of the CPSC in addressing potential safety hazards with IoT-related products.” The notice also clarifies that the hearing “will not address personal data security or privacy implications of IoT devices.”

So why does this matter? 

Continue Reading Data Security Litigation: CPSC to Hold Hearing on The Internet of Things and Consumer Product Hazards

On March 6, 2018, the FTC hosted a live Twitter chat to mark the twentieth anniversary of the Children’s Online Privacy Protection Act (COPPA).  The stated purpose of the chat was to discuss the FTC’s work to enforce COPPA and to ensure the FTC’s rule implementing the law stays in step with evolving technologies and data collection practices.

The chat began with the FTC pointing to its published FAQs, as well as two recent COPPA settlements: a $650,000 settlement with VTech Electronics Limited, which was the FTC’s first children’s privacy case involving Internet-connected toys, and a $235,000 settlement with Prime Sites, Inc., which focused on how a company can gain “actual knowledge” that it is collecting information from a child. Continue Reading FTC Explains Evolution of COPPA in Live Twitter Chat

For those of you heading to Legaltech in New York next week, please join me and a great panel for what promises to be a lively discussion of hot topics in IoT and Mobile Discovery.  I’ve been fortunate enough to have been included in Relativity’s session on this topic at a number of conferences, and this next iteration is shaping up to be our best yet.  Here’s our session description:

From the Iron Rooster to Amazon Alexa: Mobile Discovery and the Internet of Things

Whether it’s missing mobile data (Montgomery v. Iron Rooster-Annapolis, LLC), digital data in a truck (Below v. Yokohama Tire Corp.), Fitbit data (State v. Dabate), or data from an Amazon Alexa (State v. Bates) mobile discovery and data from the Internet of Things (IoT) devices present challenges, not only for litigants and their lawyers, but for corporate organizations, paralegals, and technologists as well. In this session, lawyers and consultants, including a former Department of Justice cybercrime coordinator, a prominent discovery attorney, a corporate information governance expert, and a leading legal industry analyst, will address the legal, technical, and practical considerations of mobile, social, and IoT data, including preservation requirements and data privacy limitations.

Here’s the link to the Legaltech page, in case you haven’t registered yet.  Hope to see you in NYC!

The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras). In addition, the FTC also brought its first actions to enforce the EU-US Privacy Shield in 2017. The FTC report also described its activities relating to international enforcement, children’s privacy, and Do-Not-Call. Continue Reading FTC Releases Annual Privacy and Data Security Update

One challenging aspect of privacy and data security law is that technology is constantly evolving. The near and long term future of privacy and data security will be driven by emerging technologies that developers, legislators, businesses, and lawyers may not fully understand for years to come. Last year saw a surge in technologies enabling companies to collect and analyze increasing amounts of consumer data as well as the development of technologies enabling consumers to better protect their privacy. Just as the development of new technologies is inevitable, so too is the rise of potential ways in which those technologies can be misused, which in turn provokes a legislative and regulatory response. The cycle never ends.

To help privacy and data security professionals keep pace with these changes, we will be providing regular updates throughout the course of the year on the development of emerging technologies, as well as legislation and regulation regarding privacy and data security. We begin with a review of recent developments in the Internet of Things and biometric technologies, and offer some predictions on legal and business changes to look for in 2018.

Continue Reading Privacy and Data Security and Emerging Technologies – Spotlight on the Internet of Things and Biometrics