Internet of Things (IoT)

On September 15, 2021, the Federal Trade Commission (“FTC”) issued a policy statement affirming the applicability of its Health Breach Notification Rule (the “Rule”), 16 CFR Part 318, to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”) but are capable of drawing information from multiple sources.
Continue Reading  FTC Guidance Affirms Breach Notification Obligations for Health Apps and Connected Devices

On November 17, 2020, H.R. 1668, the “Internet of Things Cybersecurity Improvement Act of 2020”, was unanimously passed by the Senate. The bill is now on its way to President Trump for signature or veto.

The bill would require the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget

As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.

Owning the Mega-Breach

2018 was the year in which data breaches in mergers and acquisitions became the iceberg in full view. This fuller realization of cyber risk in transactions, though, actually has its origin in September 2016 – when Yahoo and Marriott were in the midst of deals that would involve some of the largest data breaches on record.
Continue Reading  Some Thoughts on the Year in Privacy and Data Security Law

Please join Ballard Spahr on October 4, 2018 in New York City for “Concordant Crossroads: Regulation and Innovation in the Automotive Industry,” presented by the Thomson Reuters Legal Executive Institute. Co-chaired by Ballard Spahr partners Neal Walters and Philip N. Yannella, this conference offers a practical and robust examination of the disruption that autonomous technology and regulation pose to transportation and the automotive industry.
Continue Reading  Join Us at Concordant Crossroads: Regulation and Innovation in the Automotive Industry

California is once again poised to set the standard for privacy and data security by enacting the first state law directed at securing Internet of Things (IoT) devices. The law has passed the state legislature and is awaiting the signature of Governor Jerry Brown. It requires manufacturers of “connected devices” to equip them with “a reasonable security feature or features” that are:

  • appropriate to the nature and function of the device;
  • appropriate to the information the device may collect, contain or transmit; and
  • designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.

Continue Reading  California Poised to Enact Internet of Things Information Security Law

We’ve previously blogged about the creative efforts of plaintiffs’ counsel to expand the contours of data breach litigation.  Thus far those results have had mixed results, as courts continue to dismiss data breach litigation on Article III standing grounds – although less frequently in the case of breaches involving malicious activity. A recent ruling from the Southern District of Illinois however may have blown open a new, potentially wide front in breach litigation.
Continue Reading  Fiat-Chrysler Ruling May Pave the Way for Overpayment Class Actions Based on Security Flaws

On June 27, 2018, Ballard Spahr partner David Stauss will speak at the Practicing Law Institute’s inaugural Internet of Things Conference in San Francisco. The full-day conference is also available via webcast.

The program will bring together industry leaders to discuss various issues with the rapidly changing landscape of IoT devices.  In his panel,

Plaintiff lawyers’ continued search for damage theories to assert in claims arising from a data breach – or fear of a breach – received a potential setback this week when Chief Judge Michael Reagan of the United States District Court for the Southern District of Illinois permitted Fiat Chrysler and Harmon International to seek an interlocutory appeal of the court’s earlier ruling in Flynn v. Fiat Chrysler US that class plaintiffs had standing to bring their “car hacking” claims in federal court.  The ruling comes just one month before the scheduled start of trial. Fiat Chrysler and Harmon moved for an appeal after the Ninth Circuit ruled in a similar case, Cahen v. Toyota Motor Corp, that plaintiffs did not have standing to pursue diminution in value damages against Toyota based on a fear that the vehicles were susceptible to hacking.  
Continue Reading  Fiat Chrysler Car Hacking Case Put In Neutral

The U.S. Consumer Product Safety Commission (CPSC) recently announced that it will hold a hearing on May 16, 2018, to receive information on potential hazards with Internet of Things (IoT) products.

In its public notice, the CPSC explained that the “purpose of the public hearing . . . is to provide interested stakeholders a venue to discuss potential safety hazards created by a consumer product’s connection to IoT or other network-connected devices; the types of hazards (e.g., electrical, thermal, mechanical, chemical) related to the intended, unintended, or foreseeable misuse of consumer products because of an IoT connection; current standards development; industry best practices; and the proper role of the CPSC in addressing potential safety hazards with IoT-related products.” The notice also clarifies that the hearing “will not address personal data security or privacy implications of IoT devices.”

So why does this matter? 

Continue Reading  Data Security Litigation: CPSC to Hold Hearing on The Internet of Things and Consumer Product Hazards

On March 6, 2018, the FTC hosted a live Twitter chat to mark the twentieth anniversary of the Children’s Online Privacy Protection Act (COPPA).  The stated purpose of the chat was to discuss the FTC’s work to enforce COPPA and to ensure the FTC’s rule implementing the law stays in step with evolving technologies and data collection practices.

The chat began with the FTC pointing to its published FAQs, as well as two recent COPPA settlements: a $650,000 settlement with VTech Electronics Limited, which was the FTC’s first children’s privacy case involving Internet-connected toys, and a $235,000 settlement with Prime Sites, Inc., which focused on how a company can gain “actual knowledge” that it is collecting information from a child.
Continue Reading  FTC Explains Evolution of COPPA in Live Twitter Chat